Authenticating to new Get-WindowsAutoPilotInfo

As I am sure you have noticed, the Get-WindowsAutoPilotInfo script and associated WindowsAutoPilotIntune module have been updated and whether you are using the official one, or my forked version, the authentication method has changed to the Microsoft.Graph SDK.

In this post we will look at the two different authentication methods and the permissions required:

User Authentication

This uses the Connect-MgGraph command with the following scopes:

Group.ReadWrite.All
Device.ReadWrite.All
DeviceManagementManagedDevices.ReadWrite.All
DeviceManagementServiceConfig.ReadWrite.All
GroupMember.ReadWrite.All

These are required so you are covered if you also use the “-group” parameter to add devices to an Azure AD Group.

We then run this command to do a basic online enrollment

get-windowsautopilotinfo.ps1 -online

You’ll be prompted to login to your tenant:

M365 Sign-In

Microsoft Graph Command Line Tools (it may be listed as Microsoft Graph PowerShell on some tenants) which are used by the SDK to run commands needs to setup an Application within your Azure Active Directory with the permissions selected earlier:

MS Graph Permissions Approval

We will start by looking at what happens if the box is left unticked:

If we navigate to Azure AD and click on Enterprise Applications, we can see the app in there:

Microsoft Graph Enterprise App

Clicking on that and then permissions, nothing has been given admin consent:

Admin Consent showing no permissions

But we can see those permissions under user consent with one user added:

User consent showing delegated access

In here we can click the big blue button to consent permissions to everyone in the tenant:

Grant admin consent button

Clicking this will prompt you to sign in with a global admin, but this only adds permissions to view the current user which is no use to us:

Admin consent showing user.read and nothing else

So what happens if we tick the box?

Graph permissions with consent on behalf ticked

Now in the enterprise app, the permissions are greyed out so in theory anyone can run the script. That’s worth testing. After logging in with a different user, all worked as expected, no prompt to set permissions.

Connecting to WindowsAutoPilotIntune Module

When using this module, you first need to connect to Graph, use this command:

Connect-MgGraph -scopes "Group.ReadWrite.All, Device.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, GroupMember.ReadWrite.All"

Connecting with an App Reg

The other option for connecting is using an application registration where an Application ID and Secret is supplied to the script to use instead of user credentials.

Let’s start by creating a new app reg:

Within Azure AD, click App Registrations and then New registration:

App Registrations Menu Item
New registration button

Single tenant is fine and we’ll set the redirect UI in a minute

App Reg Name and Single Tenant

Make a note of the client ID and click Add Redirect URI

App Reg details with Redirect URI selected

Click Add a platform

App reg add platform button

Select Mobile and Desktop Applications

Mobile and desktop applications button

Select the top URI

Redirect URI with:
https://login.microsoftonline.com/common/oauth2/nativeclient

Now click API permissions

API Permissions menu item

Add a permission

Add API permission

Select Microsoft Graph

Microsoft Graph API Permissions

We want to use Application Permissions so no user is required

Add the permissions mentioned earlier:

Group.ReadWrite.All
Device.ReadWrite.All
DeviceManagementManagedDevices.ReadWrite.All
DeviceManagementServiceConfig.ReadWrite.All
GroupMember.ReadWrite.All

You will notice they have added, but do not have admin consent:

Screenshot of API permissions showing "Not Granted for xxx" message

Click the Grant admin consent button

Grant admin consent button

Now the last thing is we need a secret (think of it as the password)

Navigate to certificates and secrets

Certificates and secrets menu item

Click new client secret

New client secret button

Make a note of the secret value, you can’t view it again afterwards so will need to create a new secret

App secret details

Now to use this with the script (obviously replace 12345 with your values):

get-windowsautopilotinfo.ps1 -online -TenantID 12345 -appid 12345 -appsecret 12345

Troubleshooting

A special thanks to Kenny Renström for help with these!

  • “The provided access token has expired” – Check the system date/time are correct
  • If using an app secret, make sure your redirect URIs are set correctly (the top option in Mobile and desktop applications will be sufficient) Link
  • “Invoke-autopilotsync: Microsoft.Graph.Powershell.Authentication.Helpers.httpresponseException: Response status code does not indicate success: Conflict” – The sync has been run too many times, wait 10 minutes and re-run the script (I am also fixing this in the code itself)

31 thoughts on “Authenticating to new Get-WindowsAutoPilotInfo”

  1. Hi,

    At the first step “We will start by looking at what happens if the box is left unticked:
    If we navigate to Azure AD and click on Enterprise Applications, we can see the app in there”
    I don’t have the `” Microsoft Graph Command Line Tools ” entry available within Enterprise apps. I’ve only the “Microsoft Graph Powershell” and “Graph Explorer” available.
    What am I doing wrong?

    Reply
    • It may be the Graph PowerShell one you need, I think it has been recently renamed. My new tenant is “Command Line Tools” but my old one is “Graph PowerShell”.

      I’ll update the post 🙂

      Reply
  2. I was in a world of pain. Could not figure out why the prompted logon failed. All I could see was this diamond logo and that I did not have sufficient credentials. Now everything works again. Thanks to this informative, spot on advise post. Thanks for sharing.

    Reply
  3. Unfortunately when I use the get-windowsautopilotinfo -Online -TenantId xxxxxxx -AppId xxxxxx -AppSecret xxxxxx I get an error that is not possible to convert Syestem.String do System.Security.String. Maybe there is some error on module when connecting to GraphApp

    Reply
  4. Should I use the Get-WindowsAutopilotInfoCommunity.ps1 latest version or version 1.0? I’m asking it because I installed the Install-Module -Name WindowsAutopilotIntuneCommunity today but when I tried to run the get-windowsautopilotcommunity -Online -TenantID xxxxxx -AppID yyyyy -Appsecret wwwww but I’m facing an error like this:
    Connect-ToGraph: cannot find a parameter that matches the name TenantID

    Thank you for your support

    Reply
  5. A…..Maze…..Ing!

    I’ve been struggling with using credential auth; why bother just use your app-based method, and its even less for the guys on the ground to have to enter into the PC!

    You Rock!

    Reply
  6. I certainly will! We have a good 1000+ devices to join this coming summer break so will be hammering AutoPilot daily! I’ve built you suggestion into a Powershell script to completely automate the process with minimal touch from our guys on the ground. If you’d like a copy let me know also.

    Reply
  7. Hi Andrew,

    Thank you for this post.

    Setting up App Reg work for me but still having issues with User Auth.

    I keep getting the following error:

    Add-AutopilotImportedDevice: Microsoft.Graph.PowerShell.Authentication.Helpers.HttpsResponseException: Response Status codes does not indicate success: Forbidden (Forbidden)

    GA role works, but want to give a role that is not GA and having trouble figuring that out.

    Reply
  8. this works perfectly, thanks was going a bit crazy there for a while wondering why my original script wasn’t working but this online is so much easier thanks andrew.

    Reply
  9. Thanks for the great tutorial.

    I have an issue though. When I run the script, the device gets Azure AD joined, but not intune joined. I do it through the OOBE though. Do you happen to know why that is?

    Thank you so much!

    Reply
  10. No, I don’t get the login screen. The device shows in AAD portal as AAD joined and has the AutoPilot logo. The hostname is wrong and it’s the device SN as the hostname.
    When I run dsregcmd /status it doesn’t show it being AAD joined.

    Reply
  11. Hi Andrew,

    I have a question you may be able to answer. Around 4 months ago, we provided admin consent for the user auth for entire tenant to MS Graph Command line tools. It has just re-requested the auth again, would you know why it’s asking to re-authenticate? As the IT admins that are enrolling the devices do not have GA, they have to request us to grant admin consent again.

    Reply
    • Hi,
      Have you changed any permissions in the graph connection? Adding or removing a permission will prompt a full re-authentication.
      It might be worth checking your Enterprise apps within Entra as well in case it has created a new one

      Reply
  12. Hi, Andrew

    When running the script, i’m getting an error when running with the “-group” parameter. “New-MgGroupMember : Insufficient privileges to complete the operation.” The device does enroll in autopilot and show in AAD and is assigned to the right group. I have granted the permissions you have listed above to the app registration. Is there something I’m missing?

    Thanks

    Reply
  13. Hi Andrew,

    All is working with the script and we are able to add devices to an online environment. But with setting the permissions needed for the app registration to work we are also able to delete devices with that app registration. So if someone comes along, looks at the script and figures out how to login to Microsoft Graph using the app credentials they are able to delete stuff. Is there a way to deny the delete permissions and to only add to the environment?

    Reply
    • Hi,
      As it’s a read/write all permission you can’t be any more specific with it unfortunately. Your only other option would be to use an automation with a web hook so they can’t access the script at all, but that would take a fair bit more coding.

      Reply
  14. Quick question related to the module.

    I’m using version 5.6 and connect via app reg.

    I get the following error when using Set-AutopilotDevice :

    Response status code does not indicate success: NotFound (Not Found)

    App reg has the permissions mentionned in this article.

    Get-AutopilotDevice works fine.

    Any idea?

    Reply

Leave a Comment