Question

我用有效令牌执行GET

https://graph.microsoft.com/beta/deviceManagement/managedDevices

我得到这个错误：

{
  "error": {
    "code": "UnknownError",
    "message": {
      "ErrorCode": "Forbidden",
      "Message": {
        "_version ": 3,
        "Message": "An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID:  c0edc6b3-3d79-431f-b224-b034524e565c - Url: https://fef.msua02.manage.microsoft.com/DeviceFE/StatelessDeviceFEService/deviceManagement/managedDevices?api-version=5018-07-19",
        "CustomApiErrorPhrase": "",
        "RetryAfter": null,
        "ErrorSourceService": "",
        "HttpHeaders": {
          "WWW-Authenticate": "Bearer realm=urn:intune:service,f0f3c450-59bf-4f0d-b1b2-0ef84ddfe3c7"
        }
      },
      "Target": null,
      "Details": null,
      "InnerError": null,
      "InstanceAnnotations": []
    },
    "innerError": {
      "request-id": "c0edc6b3-3d79-431f-b224-b034524e565c",
      "date": "2018-09-21T15:27:35"
    }
  }
}

如果我使用Microsoft中的示例代码使用PowerShell执行相同的操作，则可以成功获取设备列表。

有人遇到过同样的问题吗？

Answer 1

我弄清楚出了什么问题。我们获得的令牌用于应用程序权限访问，例如使设备和用户进入AAD，但没有委派的权限（例如ManagedDevices）。我与我们的AAD团队进行了交谈，他们应该为我们提供一种生成正确令牌的方法。

Answer 2

我遇到了相同的错误，发现我必须在Azure中添加以下3个权限才能使其正常工作；

https://graph.microsoft.com/DeviceManagementManagedDevices.Read.All - Delegated
https://graph.microsoft.com/User.Read - Delegated
https://graph.microsoft.com/DeviceManagementManagedDevices.Read.All - Application

调用ManagedDevices会在POSTMAN中返回错误，但可以在PowerShell中使用

2 个答案: