Hi!
If possible, maybe you could guide me through the required user permissions to successfully run the script.
We have user which is Intune Administrator, as does have required permissions to manually delete the devices from Intune, Autopilot, and Entra ID, bet when running the script, it just fails with:
Get-MgDevice : Insufficient privileges to complete the operation.
Status: 403 (Forbidden)
ErrorCode: Authorization_RequestDenied
Date: 2025-07-30T09:41:05
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : xxxxxxxx-xxxx-48ef-xxxx-xxxxxxxxxxxx
client-request-id : xxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"xxxxxx
East","Slice":"E","Ring":"2","ScaleUnit":"000","RoleInstance":"xxxxxxxxxxxxxxx"}}
x-ms-resource-unit : 1
Cache-Control : no-cache
Date : Wed, 30 Jul 2025 09:41:04 GMT
At C:\Users\xxxx\Downloads\RemoveAutoPilotDevices-main\RemoveAutoPilotDevices-main\removeAutoPilotdevices.ps1:66 char:5
-
$allmgdevices = Get-MgDevice -All
-
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- CategoryInfo : InvalidOperation: ({ ConsistencyLe... , Headers = }:<>f__AnonymousType34`10) [Get-MgDevice_List], Exception
- FullyQualifiedErrorId : Authorization_RequestDenied,Microsoft.Graph.PowerShell.Cmdlets.GetMgDevice_List
Get-AutoPilotDevice : Microsoft.Graph.PowerShell.Authentication.Helpers.HttpResponseException: Response status code does not indicate success:
Forbidden (Forbidden).
at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
At C:\Users\xxxx\Downloads\RemoveAutoPilotDevices-main\RemoveAutoPilotDevices-main\removeAutoPilotdevices.ps1:73 char:21
-
$apdevice = Get-AutoPilotDevice | Where-Object SerialNumber - ...
-
- CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
- FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-AutopilotDevice
App registration has been configured using all required permissions (delegated)
DeviceManagementApps.ReadWrite.All
DeviceManagementConfiguration.ReadWrite.All
DeviceManagementManagedDevices.PrivilegedOperations.All
DeviceManagementManagedDevices.ReadWrite.All
DeviceManagementRBAC.ReadWrite.All
DeviceManagementServiceConfig.ReadWrite.All
Directory.Read.All
Group.ReadWrite.All
Sensitivity: Internal
openid
User.read
But still nothing. Is it really required to have some other permissions (other than Intune Administrator) assigned to the user itself, as application fails to use these delegated permissions? Maybe some kind of additional changes have been made from MS side, when it comes to using Graph API?
Hi!
If possible, maybe you could guide me through the required user permissions to successfully run the script.
We have user which is Intune Administrator, as does have required permissions to manually delete the devices from Intune, Autopilot, and Entra ID, bet when running the script, it just fails with:
Get-MgDevice : Insufficient privileges to complete the operation.
Status: 403 (Forbidden)
ErrorCode: Authorization_RequestDenied
Date: 2025-07-30T09:41:05
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : xxxxxxxx-xxxx-48ef-xxxx-xxxxxxxxxxxx
client-request-id : xxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"xxxxxx
East","Slice":"E","Ring":"2","ScaleUnit":"000","RoleInstance":"xxxxxxxxxxxxxxx"}}
x-ms-resource-unit : 1
Cache-Control : no-cache
Date : Wed, 30 Jul 2025 09:41:04 GMT
At C:\Users\xxxx\Downloads\RemoveAutoPilotDevices-main\RemoveAutoPilotDevices-main\removeAutoPilotdevices.ps1:66 char:5
Get-AutoPilotDevice : Microsoft.Graph.PowerShell.Authentication.Helpers.HttpResponseException: Response status code does not indicate success:
Forbidden (Forbidden).
at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
At C:\Users\xxxx\Downloads\RemoveAutoPilotDevices-main\RemoveAutoPilotDevices-main\removeAutoPilotdevices.ps1:73 char:21
App registration has been configured using all required permissions (delegated)
DeviceManagementApps.ReadWrite.All
DeviceManagementConfiguration.ReadWrite.All
DeviceManagementManagedDevices.PrivilegedOperations.All
DeviceManagementManagedDevices.ReadWrite.All
DeviceManagementRBAC.ReadWrite.All
DeviceManagementServiceConfig.ReadWrite.All
Directory.Read.All
Group.ReadWrite.All
Sensitivity: Internal
openid
User.read
But still nothing. Is it really required to have some other permissions (other than Intune Administrator) assigned to the user itself, as application fails to use these delegated permissions? Maybe some kind of additional changes have been made from MS side, when it comes to using Graph API?