As I am sure you have noticed, the Get-WindowsAutoPilotInfo script and associated WindowsAutoPilotIntune module have been updated and whether you are using the official one, or my forked version, the authentication method has changed to the Microsoft.Graph SDK.
In this post we will look at the two different authentication methods and the permissions required:
This uses the Connect-MgGraph command with the following scopes:
These are required so you are covered if you also use the “-group” parameter to add devices to an Azure AD Group.
We then run this command to do a basic online enrollment
You’ll be prompted to login to your tenant:
Microsoft Graph Command Line Tools (it may be listed as Microsoft Graph PowerShell on some tenants) which are used by the SDK to run commands needs to setup an Application within your Azure Active Directory with the permissions selected earlier:
We will start by looking at what happens if the box is left unticked:
If we navigate to Azure AD and click on Enterprise Applications, we can see the app in there:
Clicking on that and then permissions, nothing has been given admin consent:
But we can see those permissions under user consent with one user added:
In here we can click the big blue button to consent permissions to everyone in the tenant:
Clicking this will prompt you to sign in with a global admin, but this only adds permissions to view the current user which is no use to us:
So what happens if we tick the box?
Now in the enterprise app, the permissions are greyed out so in theory anyone can run the script. That’s worth testing. After logging in with a different user, all worked as expected, no prompt to set permissions.
Connecting to WindowsAutoPilotIntune Module
When using this module, you first need to connect to Graph, use this command:
Connect-MgGraph -scopes "Group.ReadWrite.All, Device.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, GroupMember.ReadWrite.All"
Connecting with an App Reg
The other option for connecting is using an application registration where an Application ID and Secret is supplied to the script to use instead of user credentials.
Let’s start by creating a new app reg:
Within Azure AD, click App Registrations and then New registration:
Single tenant is fine and we’ll set the redirect UI in a minute
Make a note of the client ID and click Add Redirect URI
Click Add a platform
Select Mobile and Desktop Applications
Select the top URI
Now click API permissions
Add a permission
Select Microsoft Graph
We want to use Application Permissions so no user is required
Add the permissions mentioned earlier:
You will notice they have added, but do not have admin consent:
Click the Grant admin consent button
Now the last thing is we need a secret (think of it as the password)
Navigate to certificates and secrets
Click new client secret
Make a note of the secret value, you can’t view it again afterwards so will need to create a new secret
Now to use this with the script (obviously replace 12345 with your values):
get-windowsautopilotinfo.ps1 -online -TenantID 12345 -appid 12345 -appsecret 12345
A special thanks to Kenny Renström for help with these!
- “The provided access token has expired” – Check the system date/time are correct
- If using an app secret, make sure your redirect URIs are set correctly (the top option in Mobile and desktop applications will be sufficient) Link
- “Invoke-autopilotsync: Microsoft.Graph.Powershell.Authentication.Helpers.httpresponseException: Response status code does not indicate success: Conflict” – The sync has been run too many times, wait 10 minutes and re-run the script (I am also fixing this in the code itself)