As I am sure you have noticed, the Get-WindowsAutoPilotInfo script and associated WindowsAutoPilotIntune module have been updated and whether you are using the official one, or my forked version, the authentication method has changed to the Microsoft.Graph SDK.
In this post we will look at the two different authentication methods and the permissions required:
User Authentication
This uses the Connect-MgGraph command with the following scopes:
Group.ReadWrite.All
Device.ReadWrite.All
DeviceManagementManagedDevices.ReadWrite.All
DeviceManagementServiceConfig.ReadWrite.All
GroupMember.ReadWrite.AllThese are required so you are covered if you also use the “-group” parameter to add devices to an Azure AD Group.
We then run this command to do a basic online enrollment
get-windowsautopilotinfo.ps1 -onlineYou’ll be prompted to login to your tenant:
Microsoft Graph Command Line Tools (it may be listed as Microsoft Graph PowerShell on some tenants) which are used by the SDK to run commands needs to setup an Application within your Azure Active Directory with the permissions selected earlier:
We will start by looking at what happens if the box is left unticked:
If we navigate to Azure AD and click on Enterprise Applications, we can see the app in there:
Clicking on that and then permissions, nothing has been given admin consent:
But we can see those permissions under user consent with one user added:
In here we can click the big blue button to consent permissions to everyone in the tenant:
Clicking this will prompt you to sign in with a global admin, but this only adds permissions to view the current user which is no use to us:
So what happens if we tick the box?
Now in the enterprise app, the permissions are greyed out so in theory anyone can run the script. That’s worth testing. After logging in with a different user, all worked as expected, no prompt to set permissions.
Connecting to WindowsAutoPilotIntune Module
When using this module, you first need to connect to Graph, use this command:
Connect-MgGraph -scopes "Group.ReadWrite.All, Device.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, GroupMember.ReadWrite.All"Connecting with an App Reg
The other option for connecting is using an application registration where an Application ID and Secret is supplied to the script to use instead of user credentials.
Let’s start by creating a new app reg:
Within Azure AD, click App Registrations and then New registration:
Single tenant is fine and we’ll set the redirect UI in a minute
Make a note of the client ID and click Add Redirect URI
Click Add a platform
Select Mobile and Desktop Applications
Select the top URI
Now click API permissions
Add a permission
Select Microsoft Graph
We want to use Application Permissions so no user is required
Add the permissions mentioned earlier:
Group.ReadWrite.All
Device.ReadWrite.All
DeviceManagementManagedDevices.ReadWrite.All
DeviceManagementServiceConfig.ReadWrite.All
GroupMember.ReadWrite.AllYou will notice they have added, but do not have admin consent:
Click the Grant admin consent button
Now the last thing is we need a secret (think of it as the password)
Navigate to certificates and secrets
Click new client secret
Make a note of the secret value, you can’t view it again afterwards so will need to create a new secret
Now to use this with the script (obviously replace 12345 with your values):
get-windowsautopilotinfo.ps1 -online -TenantID 12345 -appid 12345 -appsecret 12345
Hi,
At the first step “We will start by looking at what happens if the box is left unticked:
If we navigate to Azure AD and click on Enterprise Applications, we can see the app in there”
I don’t have the `” Microsoft Graph Command Line Tools ” entry available within Enterprise apps. I’ve only the “Microsoft Graph Powershell” and “Graph Explorer” available.
What am I doing wrong?
Are you running with permissions to create the application in your tenant?
Yes, GA account.
It may be the Graph PowerShell one you need, I think it has been recently renamed. My new tenant is “Command Line Tools” but my old one is “Graph PowerShell”.
I’ll update the post 🙂
That might be it, great! 🙂
I was in a world of pain. Could not figure out why the prompted logon failed. All I could see was this diamond logo and that I did not have sufficient credentials. Now everything works again. Thanks to this informative, spot on advise post. Thanks for sharing.
Unfortunately when I use the get-windowsautopilotinfo -Online -TenantId xxxxxxx -AppId xxxxxx -AppSecret xxxxxx I get an error that is not possible to convert Syestem.String do System.Security.String. Maybe there is some error on module when connecting to GraphApp
Are you using the community one? Get-WindowsAutopilotInfoCommunity.ps1
Should I use the Get-WindowsAutopilotInfoCommunity.ps1 latest version or version 1.0? I’m asking it because I installed the Install-Module -Name WindowsAutopilotIntuneCommunity today but when I tried to run the get-windowsautopilotcommunity -Online -TenantID xxxxxx -AppID yyyyy -Appsecret wwwww but I’m facing an error like this:
Connect-ToGraph: cannot find a parameter that matches the name TenantID
Thank you for your support
Grab the latest community version, 3.1. That fixes the issue.
The official one will fail with the 2.0 graph modules
A…..Maze…..Ing!
I’ve been struggling with using credential auth; why bother just use your app-based method, and its even less for the guys on the ground to have to enter into the PC!
You Rock!
Glad you have found it useful 🙂
If there are any improvements you think would be useful to the script, please let me know!
I certainly will! We have a good 1000+ devices to join this coming summer break so will be hammering AutoPilot daily! I’ve built you suggestion into a Powershell script to completely automate the process with minimal touch from our guys on the ground. If you’d like a copy let me know also.
Hi Andrew,
Thank you for this post.
Setting up App Reg work for me but still having issues with User Auth.
I keep getting the following error:
Add-AutopilotImportedDevice: Microsoft.Graph.PowerShell.Authentication.Helpers.HttpsResponseException: Response Status codes does not indicate success: Forbidden (Forbidden)
GA role works, but want to give a role that is not GA and having trouble figuring that out.
Hi,
When you approved the original connection, did you tick the box to allow across the tenant? It should create an enterprise application with the required permissions
this works perfectly, thanks was going a bit crazy there for a while wondering why my original script wasn’t working but this online is so much easier thanks andrew.
Glad it’s working well 🙂
Thanks for the great tutorial.
I have an issue though. When I run the script, the device gets Azure AD joined, but not intune joined. I do it through the OOBE though. Do you happen to know why that is?
Thank you so much!
Hi,
Do you get the OOBE Autopilot login screen? Do you have your Autopilot profile and ESP assigned correctly?
It’s also worth checking your MDM scope is set correctly in Entra
No, I don’t get the login screen. The device shows in AAD portal as AAD joined and has the AutoPilot logo. The hostname is wrong and it’s the device SN as the hostname.
When I run dsregcmd /status it doesn’t show it being AAD joined.
Also, when devices was added to AAD portal, it was shown as disabled.
It sounds like either the Autopilot Profile or ESP page (or both) haven’t assigned to that device. How do you have them both configured for assignment?