Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[IntuneDeviceEnrollmentPlatformRestriction] Tenant is not Global Admin or Intune Service Admin. Operation is restricted. #5127

Open
JelleBroekhuijsen opened this issue Oct 2, 2024 · 15 comments · May be fixed by #5850
Open

[IntuneDeviceEnrollmentPlatformRestriction] Tenant is not Global Admin or Intune Service Admin. Operation is restricted. #5127

JelleBroekhuijsen opened this issue Oct 2, 2024 · 15 comments · May be fixed by #5850

Comments

@JelleBroekhuijsen
Copy link

JelleBroekhuijsen commented Oct 2, 2024
edited
Loading

Description of the issue

When trying to deploy a IntuneDeviceEnrollmentPlatformRestriction I am getting an error:

VERBOSE: [SANDBOXHOST-638]:                            
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] Found 
Intune Device Enrollment Platform Restriction with Name {All users and all devices}
VERBOSE: [SANDBOXHOST-638]:                            
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] 
Updating the Intune Device Enrollment Platform Restriction with DisplayName {All users and all devices}
[Forbidden] : {
  "_version": 3,
  "Message": "Tenant is not Global Admin or Intune Service Admin. Operation is restricted. - Operation ID (for 
customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 053eafd6-f83d-4157-a473-061e797122d6 - Url: http
s://fef.amsub0502.manage.microsoft.com/StatelessOnboardingService/deviceManagement/deviceEnrollmentConfigurations('9e5f
2b2a-8736-4031-81f5-06652e4b2c84_DefaultPlatformRestrictions')?api-version=5023-03-29",
  "CustomApiErrorPhrase": "",
  "RetryAfter": null,
  "ErrorSourceService": "",
  "HttpHeaders": "{}"
}
    + CategoryInfo          : InvalidOperation: ({ DeviceEnrollm...Configuration }:) [], CimException
    + FullyQualifiedErrorId : Forbidden,Microsoft.Graph.Beta.PowerShell.Cmdlets.UpdateMgBetaDeviceManagementDeviceEnro 
   llmentConfiguration_Update
    + PSComputerName        : localhost
 
VERBOSE: [SANDBOXHOST-638]: LCM:  [ End    Set      ]

The used enterprise application has the required permissions:

  • DeviceManagementConfiguration.ReadWrite.All (both application and delegated)
  • DeviceManagementServiceConfig.ReadWrite.All (both application and delegated)

The app is also assigned global admin in the tenant.

Export of the resource using the same app works fine, deploying other resource types also works fine.

Microsoft 365 DSC Version

1.24.904.1

Which workloads are affected

Intune

The DSC configuration

param (
    [Parameter(Mandatory)]
    [psobject]$ConfigurationData
)

Configuration DevicePlatformRestriction_BlockPersonalDevices
{
    $OrganizationName = $ConfigurationData.NonNodeData.OrganizationName

    Import-DscResource -ModuleName 'Microsoft365DSC' -ModuleVersion '1.24.904.1'

    Node localhost
    {
        IntuneDeviceEnrollmentPlatformRestriction "IntuneDeviceEnrollmentPlatformRestriction-All users and all devices"
        {
            Description                       = "This is the default Device Type Restriction applied with the lowest priority to all users regardless of group membership.";
            DeviceEnrollmentConfigurationType = "platformRestrictions";
            DisplayName                       = "All users and all devices";
            Identity = "PLACEHOLDER"
            Priority                          = 0;
            Assignments                       = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupDisplayName = 'All devices'
                    dataType = '#microsoft.graph.allDevicesAssignmentTarget'
                }
            );
            AndroidForWorkRestriction         = MSFT_DeviceEnrollmentPlatformRestriction{
                platformBlocked = $True
                personalDeviceEnrollmentBlocked = $True
            };
            AndroidRestriction                = MSFT_DeviceEnrollmentPlatformRestriction{
                platformBlocked = $True
                personalDeviceEnrollmentBlocked = $True
            };
            IosRestriction                    = MSFT_DeviceEnrollmentPlatformRestriction{
                platformBlocked = $True
                personalDeviceEnrollmentBlocked = $True
            };
            MacOSRestriction                  = MSFT_DeviceEnrollmentPlatformRestriction{
                platformBlocked = $True
                personalDeviceEnrollmentBlocked = $True
            };
            MacRestriction                    = MSFT_DeviceEnrollmentPlatformRestriction{
                platformBlocked = $True
                personalDeviceEnrollmentBlocked = $True
            };
            WindowsHomeSkuRestriction         = MSFT_DeviceEnrollmentPlatformRestriction{
                platformBlocked = $True
                personalDeviceEnrollmentBlocked = $True
            };
            WindowsRestriction                = MSFT_DeviceEnrollmentPlatformRestriction{
                platformBlocked = $False
                osMinimumVersion = '10.0.19044.4894'
                personalDeviceEnrollmentBlocked = $False
            };
            Ensure                            = "Present";
            TenantId                          = $OrganizationName;
            ApplicationId                     = $ConfigurationData.NonNodeData.ApplicationId;
            CertificateThumbprint             = $ConfigurationData.NonNodeData.CertificateThumbprint;
        }
    }
}

DevicePlatformRestriction_BlockPersonalDevices -ConfigurationData $ConfigurationData

Verbose logs showing the problem

Applying configuration: 'C:\azp\agent\_work\1\s\tenantmanagement\Blueprints\DevicePlatformRestriction_BlockPersonalDevices'
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = 
SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = 
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer SANDBOXHOST-638 with user sid S-1-5-93-2-1.
VERBOSE: [SANDBOXHOST-638]: LCM:  [ Start  Set      ]
VERBOSE: [SANDBOXHOST-638]: LCM:  [ Start  Resource ]  
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices]
VERBOSE: [SANDBOXHOST-638]: LCM:  [ Start  Test     ]  
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices]
VERBOSE: [SANDBOXHOST-638]:                            
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] 
Testing configuration of the Intune Device Enrollment Platform Restriction with Id {PLACEHOLDER} and DisplayName {All 
users and all devices}
VERBOSE: [SANDBOXHOST-638]:                            
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] 
Checking for the Intune Device Enrollment Restriction {All users and all devices}
VERBOSE: [SANDBOXHOST-638]:                            
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] Could 
not find an Intune Device Enrollment Platform Restriction with Id {PLACEHOLDER}
VERBOSE: [SANDBOXHOST-638]:                            
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] Found 
Intune Device Enrollment Platform Restriction with Name {All users and all devices}
VERBOSE: [SANDBOXHOST-638]:                            
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] 
Current Values: AccessTokens=$null

AndroidForWorkRestriction={personalDeviceEnrollmentBlocked=False

platformBlocked=False}

AndroidRestriction={personalDeviceEnrollmentBlocked=False

platformBlocked=False}

ApplicationId=***

ApplicationSecret=$null

Assignments=({dataType=#microsoft.graph.allDevicesAssignmentTarget

deviceAndAppManagementAssignmentFilterType=none

groupDisplayName=All devices})

CertificateThumbprint=***

VERBOSE: [SANDBOXHOST-638]: LCM:  [ End    Test     ]  
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices]  in 
76.4710 seconds.
VERBOSE: [SANDBOXHOST-638]: LCM:  [ Start  Set      ]  
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices]
VERBOSE: [SANDBOXHOST-638]:                            
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] 
Checking for the Intune Device Enrollment Restriction {All users and all devices}
VERBOSE: [SANDBOXHOST-638]:                            
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] Could 
not find an Intune Device Enrollment Platform Restriction with Id {PLACEHOLDER}
VERBOSE: [SANDBOXHOST-638]:                            
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] Found 
Intune Device Enrollment Platform Restriction with Name {All users and all devices}
VERBOSE: [SANDBOXHOST-638]:                            
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] 
Updating the Intune Device Enrollment Platform Restriction with DisplayName {All users and all devices}
[Forbidden] : {
  "_version": 3,
  "Message": "Tenant is not Global Admin or Intune Service Admin. Operation is restricted. - Operation ID (for 
customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 93ce62f4-cd16-4851-9f7c-5ac976217f7c - Url: http
s://fef.amsub0502.manage.microsoft.com/StatelessOnboardingService/deviceManagement/deviceEnrollmentConfigurations('9e5f
2b2a-8736-4031-81f5-06652e4b2c84_DefaultPlatformRestrictions')?api-version=5023-03-29",
  "CustomApiErrorPhrase": "",
  "RetryAfter": null,
  "ErrorSourceService": "",
  "HttpHeaders": "{}"
}
    + CategoryInfo          : InvalidOperation: ({ DeviceEnrollm...Configuration }:) [], CimException
    + FullyQualifiedErrorId : Forbidden,Microsoft.Graph.Beta.PowerShell.Cmdlets.UpdateMgBetaDeviceManagementDeviceEnro 
   llmentConfiguration_Update
    + PSComputerName        : localhost
 
VERBOSE: [SANDBOXHOST-638]: LCM:  [ End    Set      ]  
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices]  in 
2.2570 seconds.
The PowerShell DSC resource '[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All 
users and all devices' with SourceInfo 'C:\azp\agent\_work\1\s\tenantmanagement\Blueprints\DevicePlatformRestriction_Bl
ockPersonalDevices.ps1::14::9::IntuneDeviceEnrollmentPlatformRestriction' threw one or more non-terminating errors 
while running the Set-TargetResource functionality. These errors are logged to the ETW channel called 
Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : localhost
 
VERBOSE: [SANDBOXHOST-638]: LCM:  [ End    Set      ]
The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost
 
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 82.695 seconds

Environment Information + PowerShell Version

OsName               : Microsoft Windows Server 2022 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 20348.859.amd64fre.fe_release_svc_prod2.220707-1832
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Key   : PSVersion
Value : 5.1.20348.2652
Name  : PSVersion

Key   : PSEdition
Value : Desktop
Name  : PSEdition

Key   : PSCompatibleVersions
Value : {1.0, 2.0, 3.0, 4.0...}
Name  : PSCompatibleVersions

Key   : BuildVersion
Value : 10.0.20348.2652
Name  : BuildVersion

Key   : CLRVersion
Value : 4.0.30319.42000
Name  : CLRVersion

Key   : WSManStackVersion
Value : 3.0
Name  : WSManStackVersion

Key   : PSRemotingProtocolVersion
Value : 2.3
Name  : PSRemotingProtocolVersion

Key   : SerializationVersion
Value : 1.1.0.1
Name  : SerializationVersion
@ricmestre
Copy link
Contributor

I never reported it but I'm also having this issue

@FabienTschanz
Copy link
Collaborator

I opened a Microsoft case from my test tenant. ‎Update-MgBetaDeviceManagementDeviceEnrollmentConfiguration does not work‎ (#‎2410031420002336‎).

@FabienTschanz
Copy link
Collaborator

Well, my ticket was closed because it would be "root cause analysis" and not "break fix". Guess I'll have to open one with the unified support then... Will keep you updated.

@FabienTschanz
Copy link
Collaborator

Got confirmation from the unified support that there is a restriction in place that only allows updating the configuration from within the Intune portal and not via PowerShell. The product group is aware of it and will be addressing it, but no ETA was given to me.

@FabienTschanz FabienTschanz mentioned this issue Nov 27, 2024
Closed
@ricmestre ricmestre mentioned this issue Dec 10, 2024
Closed
2 tasks
@srozemuller
Copy link

Any news on this? Not using the DSC module but it is a Graph API limit. Sending a request to Graph directly results in the same issue.

Image

@FabienTschanz
Copy link
Collaborator

@srozemuller Unfortunately nothing new. We'll have to wait.

@CovidtheDog2024
Copy link

Got confirmation from the unified support that there is a restriction in place that only allows updating the configuration from within the Intune portal and not via PowerShell. The product group is aware of it and will be addressing it, but no ETA was given to me.

Hi @FabienTschanz,
Would you happen to know when the restriction was implemented?

Thank you!

@FabienTschanz
Copy link
Collaborator

@CovidtheDog2024 I don't know, but my guess would be something in the region of spring 2024. Back in about December 2023, I implemented a full refactor of the resource and during that time, it worked without issues. Sometime later, it started to fail.

@srozemuller
Copy link

I spoke with the MSFT productteam and can say this is by design.

See : https://learn.microsoft.com/en-us/mem/intune/fundamentals/whats-new#device-enrollment-9

@FabienTschanz
Copy link
Collaborator

@srozemuller Thanks for the link, explains when and how the functionality is supposed to be, but doesn't help since this broke every access via Graph API. Are you telling that there is no way this will ever work again? If yes, then we most likely have to remove the resource because it's not possible to apply the state correctly which would be very sad 😢

@srozemuller
Copy link

Trying not to tell to much because of NDA but in fact the ability to write and update will not come back. It has something to do with RBAC philosophy and the impact of the setting.

GET request still work and could be used to generate backups for example.

I suggested some ideas to the team how to make it work in some way. I'm not using DSC but developing automation solutions where this is topic is needed as well.

@CovidtheDog2024
Copy link

I tested using a user account with the Intune Administrator role, and it was successful without any errors. However, when using a Service Principal, I encountered an error. I have assigned the Service Principal the roles of Intune Administrator and Global Administrator, and ensured that the necessary API permissions are in place, but it is still failing.

@FabienTschanz
Copy link
Collaborator

@CovidtheDog2024 This is because there is a check in place that prohibits changes to the enrollment restrictions if the calling party is not coming from the Intune portal. I got that verified with the unified support. That's why service principals are failing but interactive users are working (because users come from the Intune portal, and the service principal is via Graph API directly).

@FabienTschanz
Copy link
Collaborator

FabienTschanz commented Jan 16, 2025
edited
Loading

@NikCharlebois @ykuijs @ricmestre How would you like to proceed with this issue? As @srozemuller stated, the product group won't be changing it (for the foreseeable future at least), so changes to the enrollment restrictions cannot be remediated to the state they should be in. Do we still want to include it for the export and get, but output a warning and do nothing in the set method? And what should test return if there is a diff?

@srozemuller
Copy link

I tested using a user account with the Intune Administrator role, and it was successful without any errors. However, when using a Service Principal, I encountered an error. I have assigned the Service Principal the roles of Intune Administrator and Global Administrator, and ensured that the necessary API permissions are in place, but it is still failing.

That is by design and exactly how it should work.
Using a service principal or managed identity won't work since it does not use on behalf of from itself. So when adding roles it still using the application graph permissions instead of delegated.

@FabienTschanz FabienTschanz marked this as a duplicate of #5530 Feb 27, 2025
@FabienTschanz FabienTschanz linked a pull request Feb 27, 2025 that will close this issue
Open
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add note for no update possible FabienTschanz/Microsoft365DSC
5 participants
@srozemuller @JelleBroekhuijsen @FabienTschanz @ricmestre @CovidtheDog2024