Intune设备管理图API
有谁知道如何使用带有访问/刷新令牌的 MS Graph 连接到 Intune API?
我正在使用 AADInternals 模块。
Get-AccessTokenWithRefreshToken -Resource "https://graph.microsoft.com" -ClientId "00000000-0000-0000-0000-000000000000" -RefreshToken $refreshtoken -TenantId $Tenant
我已经尝试了所有类型的资源和 clientid,但是当我拨打电话时,我不断收到如下错误:
{"error":"invalid_grant","error_description":"AADSTS70000: Provided grant is invalid or malformed.\r\n"
{"error":"invalid_grant","error_description":"AADSTS9002313: Invalid request. Request is malformed or invalid"
{"error":"unauthorized_client","error_description":"AADSTS700038: 00000000-0000-0000-0000-000000000000
或者当我使用默认的 MSGraph API clientid &资源:
$apiUrl = "https://graph.microsoft.com/v1.0/deviceManagement/managedDeviceOverview"
Invoke-RestMethod -Headers @{Authorization = "Bearer " + $attributes.MSGraph} -Uri $apiUrl -Method GET -ContentType 'application/json'
Invoke-RestMethod : The remote server returned an error: (403) Forbidden.
或:
Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.
更新 1
DeviceCompliance 似乎正在工作,我只是无法让 ManagedDeviceOverview 工作......即使在 Graph Explorer Developer 中也会出现错误......
https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies https://graph.microsoft.com/v1.0/deviceManagement/managedDeviceOverview"
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果
/deviceManagement/deviceCompliancePolicies正在工作,而/deviceManagement/managedDeviceOverview则不工作,我的猜测是 AAD 中的企业应用程序(具有您的 clientid 的应用程序)缺少权限。传递到Get-AccessTokenWithRefreshToken中的-ClientId参数)。/deviceManagement/deviceCompliancePolicies的权限DeviceManagementConfiguration.Read.All、DeviceManagementConfiguration.ReadWrite.All
这些权限可能已设置(因为 api 调用正在运行)。
检查此链接(章节先决条件):https://learn.microsoft.com/en-us/graph/api/intune-deviceconfig-devicecompliancepolicy-get?view=graph-rest-1.0#preventions
的权限/deviceManagement/managedDeviceOverviewDeviceManagementManagedDevices.Read.All、DeviceManagementManagedDevices.ReadWrite.All
可能未设置这些权限(因为 api 调用不 在职的)。
检查此链接(章节先决条件):https://learn.microsoft.com/en-us/graph/api/intune-devices-managementdeviceoverview-get?view=graph-rest-1.0#preventions
检查权限Azure 门户: Azure Active Directory -->企业应用-->您的企业应用程序(具有正确的 clientid)-->权限
If
/deviceManagement/deviceCompliancePoliciesis working and/deviceManagement/managedDeviceOverviewis not, my guess is that there are permissions missing on the enterprise application in AAD (application with the clientid which you pass to the-ClientIdparameter inGet-AccessTokenWithRefreshToken).Permissions for
/deviceManagement/deviceCompliancePoliciesDeviceManagementConfiguration.Read.All, DeviceManagementConfiguration.ReadWrite.All
These permissions might already be set (because the api call is working).
Check this link (chapter prerequisites): https://learn.microsoft.com/en-us/graph/api/intune-deviceconfig-devicecompliancepolicy-get?view=graph-rest-1.0#prerequisites
Permissions for
/deviceManagement/managedDeviceOverviewDeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All
These permissions might not be set (because the api call is not working).
Check this link (chapter prerequisites): https://learn.microsoft.com/en-us/graph/api/intune-devices-manageddeviceoverview-get?view=graph-rest-1.0#prerequisites
Check the permissions in the Azure portal: Azure Active Directory --> Enterprise applications --> Your enterprise app (with the right clientid) --> Permissions