Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[IntuneDeviceEnrollmentPlatformRestriction] Tenant is not Global Admin or Intune Service Admin. Operation is restricted. #5127

Open
JelleBroekhuijsen opened this issue Oct 2, 2024 · 3 comments
Open

[IntuneDeviceEnrollmentPlatformRestriction] Tenant is not Global Admin or Intune Service Admin. Operation is restricted. #5127

JelleBroekhuijsen opened this issue Oct 2, 2024 · 3 comments

Comments

@JelleBroekhuijsen
Copy link

JelleBroekhuijsen commented Oct 2, 2024
edited
Loading

Description of the issue

When trying to deploy a IntuneDeviceEnrollmentPlatformRestriction I am getting an error:

VERBOSE: [SANDBOXHOST-638]:                            
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] Found 
Intune Device Enrollment Platform Restriction with Name {All users and all devices}
VERBOSE: [SANDBOXHOST-638]:                            
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] 
Updating the Intune Device Enrollment Platform Restriction with DisplayName {All users and all devices}
[Forbidden] : {
  "_version": 3,
  "Message": "Tenant is not Global Admin or Intune Service Admin. Operation is restricted. - Operation ID (for 
customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 053eafd6-f83d-4157-a473-061e797122d6 - Url: http
s://fef.amsub0502.manage.microsoft.com/StatelessOnboardingService/deviceManagement/deviceEnrollmentConfigurations('9e5f
2b2a-8736-4031-81f5-06652e4b2c84_DefaultPlatformRestrictions')?api-version=5023-03-29",
  "CustomApiErrorPhrase": "",
  "RetryAfter": null,
  "ErrorSourceService": "",
  "HttpHeaders": "{}"
}
    + CategoryInfo          : InvalidOperation: ({ DeviceEnrollm...Configuration }:) [], CimException
    + FullyQualifiedErrorId : Forbidden,Microsoft.Graph.Beta.PowerShell.Cmdlets.UpdateMgBetaDeviceManagementDeviceEnro 
   llmentConfiguration_Update
    + PSComputerName        : localhost
 
VERBOSE: [SANDBOXHOST-638]: LCM:  [ End    Set      ]

The used enterprise application has the required permissions:

  • DeviceManagementConfiguration.ReadWrite.All (both application and delegated)
  • DeviceManagementServiceConfig.ReadWrite.All (both application and delegated)

The app is also assigned global admin in the tenant.

Export of the resource using the same app works fine, deploying other resource types also works fine.

Microsoft 365 DSC Version

1.24.904.1

Which workloads are affected

Intune

The DSC configuration

param (
    [Parameter(Mandatory)]
    [psobject]$ConfigurationData
)

Configuration DevicePlatformRestriction_BlockPersonalDevices
{
    $OrganizationName = $ConfigurationData.NonNodeData.OrganizationName

    Import-DscResource -ModuleName 'Microsoft365DSC' -ModuleVersion '1.24.904.1'

    Node localhost
    {
        IntuneDeviceEnrollmentPlatformRestriction "IntuneDeviceEnrollmentPlatformRestriction-All users and all devices"
        {
            Description                       = "This is the default Device Type Restriction applied with the lowest priority to all users regardless of group membership.";
            DeviceEnrollmentConfigurationType = "platformRestrictions";
            DisplayName                       = "All users and all devices";
            Identity = "PLACEHOLDER"
            Priority                          = 0;
            Assignments                       = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupDisplayName = 'All devices'
                    dataType = '#microsoft.graph.allDevicesAssignmentTarget'
                }
            );
            AndroidForWorkRestriction         = MSFT_DeviceEnrollmentPlatformRestriction{
                platformBlocked = $True
                personalDeviceEnrollmentBlocked = $True
            };
            AndroidRestriction                = MSFT_DeviceEnrollmentPlatformRestriction{
                platformBlocked = $True
                personalDeviceEnrollmentBlocked = $True
            };
            IosRestriction                    = MSFT_DeviceEnrollmentPlatformRestriction{
                platformBlocked = $True
                personalDeviceEnrollmentBlocked = $True
            };
            MacOSRestriction                  = MSFT_DeviceEnrollmentPlatformRestriction{
                platformBlocked = $True
                personalDeviceEnrollmentBlocked = $True
            };
            MacRestriction                    = MSFT_DeviceEnrollmentPlatformRestriction{
                platformBlocked = $True
                personalDeviceEnrollmentBlocked = $True
            };
            WindowsHomeSkuRestriction         = MSFT_DeviceEnrollmentPlatformRestriction{
                platformBlocked = $True
                personalDeviceEnrollmentBlocked = $True
            };
            WindowsRestriction                = MSFT_DeviceEnrollmentPlatformRestriction{
                platformBlocked = $False
                osMinimumVersion = '10.0.19044.4894'
                personalDeviceEnrollmentBlocked = $False
            };
            Ensure                            = "Present";
            TenantId                          = $OrganizationName;
            ApplicationId                     = $ConfigurationData.NonNodeData.ApplicationId;
            CertificateThumbprint             = $ConfigurationData.NonNodeData.CertificateThumbprint;
        }
    }
}

DevicePlatformRestriction_BlockPersonalDevices -ConfigurationData $ConfigurationData

Verbose logs showing the problem

Applying configuration: 'C:\azp\agent\_work\1\s\tenantmanagement\Blueprints\DevicePlatformRestriction_BlockPersonalDevices'
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = 
SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = 
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer SANDBOXHOST-638 with user sid S-1-5-93-2-1.
VERBOSE: [SANDBOXHOST-638]: LCM:  [ Start  Set      ]
VERBOSE: [SANDBOXHOST-638]: LCM:  [ Start  Resource ]  
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices]
VERBOSE: [SANDBOXHOST-638]: LCM:  [ Start  Test     ]  
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices]
VERBOSE: [SANDBOXHOST-638]:                            
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] 
Testing configuration of the Intune Device Enrollment Platform Restriction with Id {PLACEHOLDER} and DisplayName {All 
users and all devices}
VERBOSE: [SANDBOXHOST-638]:                            
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] 
Checking for the Intune Device Enrollment Restriction {All users and all devices}
VERBOSE: [SANDBOXHOST-638]:                            
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] Could 
not find an Intune Device Enrollment Platform Restriction with Id {PLACEHOLDER}
VERBOSE: [SANDBOXHOST-638]:                            
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] Found 
Intune Device Enrollment Platform Restriction with Name {All users and all devices}
VERBOSE: [SANDBOXHOST-638]:                            
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] 
Current Values: AccessTokens=$null

AndroidForWorkRestriction={personalDeviceEnrollmentBlocked=False

platformBlocked=False}

AndroidRestriction={personalDeviceEnrollmentBlocked=False

platformBlocked=False}

ApplicationId=***

ApplicationSecret=$null

Assignments=({dataType=#microsoft.graph.allDevicesAssignmentTarget

deviceAndAppManagementAssignmentFilterType=none

groupDisplayName=All devices})

CertificateThumbprint=***

VERBOSE: [SANDBOXHOST-638]: LCM:  [ End    Test     ]  
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices]  in 
76.4710 seconds.
VERBOSE: [SANDBOXHOST-638]: LCM:  [ Start  Set      ]  
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices]
VERBOSE: [SANDBOXHOST-638]:                            
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] 
Checking for the Intune Device Enrollment Restriction {All users and all devices}
VERBOSE: [SANDBOXHOST-638]:                            
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] Could 
not find an Intune Device Enrollment Platform Restriction with Id {PLACEHOLDER}
VERBOSE: [SANDBOXHOST-638]:                            
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] Found 
Intune Device Enrollment Platform Restriction with Name {All users and all devices}
VERBOSE: [SANDBOXHOST-638]:                            
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] 
Updating the Intune Device Enrollment Platform Restriction with DisplayName {All users and all devices}
[Forbidden] : {
  "_version": 3,
  "Message": "Tenant is not Global Admin or Intune Service Admin. Operation is restricted. - Operation ID (for 
customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 93ce62f4-cd16-4851-9f7c-5ac976217f7c - Url: http
s://fef.amsub0502.manage.microsoft.com/StatelessOnboardingService/deviceManagement/deviceEnrollmentConfigurations('9e5f
2b2a-8736-4031-81f5-06652e4b2c84_DefaultPlatformRestrictions')?api-version=5023-03-29",
  "CustomApiErrorPhrase": "",
  "RetryAfter": null,
  "ErrorSourceService": "",
  "HttpHeaders": "{}"
}
    + CategoryInfo          : InvalidOperation: ({ DeviceEnrollm...Configuration }:) [], CimException
    + FullyQualifiedErrorId : Forbidden,Microsoft.Graph.Beta.PowerShell.Cmdlets.UpdateMgBetaDeviceManagementDeviceEnro 
   llmentConfiguration_Update
    + PSComputerName        : localhost
 
VERBOSE: [SANDBOXHOST-638]: LCM:  [ End    Set      ]  
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices]  in 
2.2570 seconds.
The PowerShell DSC resource '[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All 
users and all devices' with SourceInfo 'C:\azp\agent\_work\1\s\tenantmanagement\Blueprints\DevicePlatformRestriction_Bl
ockPersonalDevices.ps1::14::9::IntuneDeviceEnrollmentPlatformRestriction' threw one or more non-terminating errors 
while running the Set-TargetResource functionality. These errors are logged to the ETW channel called 
Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : localhost
 
VERBOSE: [SANDBOXHOST-638]: LCM:  [ End    Set      ]
The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost
 
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 82.695 seconds

Environment Information + PowerShell Version

OsName               : Microsoft Windows Server 2022 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 20348.859.amd64fre.fe_release_svc_prod2.220707-1832
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Key   : PSVersion
Value : 5.1.20348.2652
Name  : PSVersion

Key   : PSEdition
Value : Desktop
Name  : PSEdition

Key   : PSCompatibleVersions
Value : {1.0, 2.0, 3.0, 4.0...}
Name  : PSCompatibleVersions

Key   : BuildVersion
Value : 10.0.20348.2652
Name  : BuildVersion

Key   : CLRVersion
Value : 4.0.30319.42000
Name  : CLRVersion

Key   : WSManStackVersion
Value : 3.0
Name  : WSManStackVersion

Key   : PSRemotingProtocolVersion
Value : 2.3
Name  : PSRemotingProtocolVersion

Key   : SerializationVersion
Value : 1.1.0.1
Name  : SerializationVersion
@ricmestre
Copy link
Contributor

I never reported it but I'm also having this issue

@FabienTschanz
Copy link
Contributor

I opened a Microsoft case from my test tenant. ‎Update-MgBetaDeviceManagementDeviceEnrollmentConfiguration does not work‎ (#‎2410031420002336‎).

@FabienTschanz
Copy link
Contributor

Well, my ticket was closed because it would be "root cause analysis" and not "break fix". Guess I'll have to open one with the unified support then... Will keep you updated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JelleBroekhuijsen @FabienTschanz @ricmestre