Microsoft365DSC
Microsoft365DSC copied to clipboard
Published
20 hours ago •
microsoft
microsoft
[IntuneDeviceEnrollmentPlatformRestriction] Tenant is not Global Admin or Intune Service Admin. Operation is restricted.
Description of the issue
When trying to deploy a IntuneDeviceEnrollmentPlatformRestriction I am getting an error:
VERBOSE: [SANDBOXHOST-638]:
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] Found
Intune Device Enrollment Platform Restriction with Name {All users and all devices}
VERBOSE: [SANDBOXHOST-638]:
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices]
Updating the Intune Device Enrollment Platform Restriction with DisplayName {All users and all devices}
[Forbidden] : {
"_version": 3,
"Message": "Tenant is not Global Admin or Intune Service Admin. Operation is restricted. - Operation ID (for
customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 053eafd6-f83d-4157-a473-061e797122d6 - Url: http
s://fef.amsub0502.manage.microsoft.com/StatelessOnboardingService/deviceManagement/deviceEnrollmentConfigurations('9e5f
2b2a-8736-4031-81f5-06652e4b2c84_DefaultPlatformRestrictions')?api-version=5023-03-29",
"CustomApiErrorPhrase": "",
"RetryAfter": null,
"ErrorSourceService": "",
"HttpHeaders": "{}"
}
+ CategoryInfo : InvalidOperation: ({ DeviceEnrollm...Configuration }:) [], CimException
+ FullyQualifiedErrorId : Forbidden,Microsoft.Graph.Beta.PowerShell.Cmdlets.UpdateMgBetaDeviceManagementDeviceEnro
llmentConfiguration_Update
+ PSComputerName : localhost
VERBOSE: [SANDBOXHOST-638]: LCM: [ End Set ]
The used enterprise application has the required permissions:
- DeviceManagementConfiguration.ReadWrite.All (both application and delegated)
- DeviceManagementServiceConfig.ReadWrite.All (both application and delegated)
The app is also assigned global admin in the tenant.
Export of the resource using the same app works fine, deploying other resource types also works fine.
Microsoft 365 DSC Version
1.24.904.1
Which workloads are affected
Intune
The DSC configuration
param (
[Parameter(Mandatory)]
[psobject]$ConfigurationData
)
Configuration DevicePlatformRestriction_BlockPersonalDevices
{
$OrganizationName = $ConfigurationData.NonNodeData.OrganizationName
Import-DscResource -ModuleName 'Microsoft365DSC' -ModuleVersion '1.24.904.1'
Node localhost
{
IntuneDeviceEnrollmentPlatformRestriction "IntuneDeviceEnrollmentPlatformRestriction-All users and all devices"
{
Description = "This is the default Device Type Restriction applied with the lowest priority to all users regardless of group membership.";
DeviceEnrollmentConfigurationType = "platformRestrictions";
DisplayName = "All users and all devices";
Identity = "PLACEHOLDER"
Priority = 0;
Assignments = @(
MSFT_DeviceManagementConfigurationPolicyAssignments{
deviceAndAppManagementAssignmentFilterType = 'none'
groupDisplayName = 'All devices'
dataType = '#microsoft.graph.allDevicesAssignmentTarget'
}
);
AndroidForWorkRestriction = MSFT_DeviceEnrollmentPlatformRestriction{
platformBlocked = $True
personalDeviceEnrollmentBlocked = $True
};
AndroidRestriction = MSFT_DeviceEnrollmentPlatformRestriction{
platformBlocked = $True
personalDeviceEnrollmentBlocked = $True
};
IosRestriction = MSFT_DeviceEnrollmentPlatformRestriction{
platformBlocked = $True
personalDeviceEnrollmentBlocked = $True
};
MacOSRestriction = MSFT_DeviceEnrollmentPlatformRestriction{
platformBlocked = $True
personalDeviceEnrollmentBlocked = $True
};
MacRestriction = MSFT_DeviceEnrollmentPlatformRestriction{
platformBlocked = $True
personalDeviceEnrollmentBlocked = $True
};
WindowsHomeSkuRestriction = MSFT_DeviceEnrollmentPlatformRestriction{
platformBlocked = $True
personalDeviceEnrollmentBlocked = $True
};
WindowsRestriction = MSFT_DeviceEnrollmentPlatformRestriction{
platformBlocked = $False
osMinimumVersion = '10.0.19044.4894'
personalDeviceEnrollmentBlocked = $False
};
Ensure = "Present";
TenantId = $OrganizationName;
ApplicationId = $ConfigurationData.NonNodeData.ApplicationId;
CertificateThumbprint = $ConfigurationData.NonNodeData.CertificateThumbprint;
}
}
}
DevicePlatformRestriction_BlockPersonalDevices -ConfigurationData $ConfigurationData
Verbose logs showing the problem
Applying configuration: 'C:\azp\agent\_work\1\s\tenantmanagement\Blueprints\DevicePlatformRestriction_BlockPersonalDevices'
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' =
SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' =
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer SANDBOXHOST-638 with user sid S-1-5-93-2-1.
VERBOSE: [SANDBOXHOST-638]: LCM: [ Start Set ]
VERBOSE: [SANDBOXHOST-638]: LCM: [ Start Resource ]
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices]
VERBOSE: [SANDBOXHOST-638]: LCM: [ Start Test ]
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices]
VERBOSE: [SANDBOXHOST-638]:
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices]
Testing configuration of the Intune Device Enrollment Platform Restriction with Id {PLACEHOLDER} and DisplayName {All
users and all devices}
VERBOSE: [SANDBOXHOST-638]:
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices]
Checking for the Intune Device Enrollment Restriction {All users and all devices}
VERBOSE: [SANDBOXHOST-638]:
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] Could
not find an Intune Device Enrollment Platform Restriction with Id {PLACEHOLDER}
VERBOSE: [SANDBOXHOST-638]:
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] Found
Intune Device Enrollment Platform Restriction with Name {All users and all devices}
VERBOSE: [SANDBOXHOST-638]:
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices]
Current Values: AccessTokens=$null
AndroidForWorkRestriction={personalDeviceEnrollmentBlocked=False
platformBlocked=False}
AndroidRestriction={personalDeviceEnrollmentBlocked=False
platformBlocked=False}
ApplicationId=***
ApplicationSecret=$null
Assignments=({dataType=#microsoft.graph.allDevicesAssignmentTarget
deviceAndAppManagementAssignmentFilterType=none
groupDisplayName=All devices})
CertificateThumbprint=***
VERBOSE: [SANDBOXHOST-638]: LCM: [ End Test ]
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] in
76.4710 seconds.
VERBOSE: [SANDBOXHOST-638]: LCM: [ Start Set ]
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices]
VERBOSE: [SANDBOXHOST-638]:
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices]
Checking for the Intune Device Enrollment Restriction {All users and all devices}
VERBOSE: [SANDBOXHOST-638]:
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] Could
not find an Intune Device Enrollment Platform Restriction with Id {PLACEHOLDER}
VERBOSE: [SANDBOXHOST-638]:
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] Found
Intune Device Enrollment Platform Restriction with Name {All users and all devices}
VERBOSE: [SANDBOXHOST-638]:
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices]
Updating the Intune Device Enrollment Platform Restriction with DisplayName {All users and all devices}
[Forbidden] : {
"_version": 3,
"Message": "Tenant is not Global Admin or Intune Service Admin. Operation is restricted. - Operation ID (for
customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 93ce62f4-cd16-4851-9f7c-5ac976217f7c - Url: http
s://fef.amsub0502.manage.microsoft.com/StatelessOnboardingService/deviceManagement/deviceEnrollmentConfigurations('9e5f
2b2a-8736-4031-81f5-06652e4b2c84_DefaultPlatformRestrictions')?api-version=5023-03-29",
"CustomApiErrorPhrase": "",
"RetryAfter": null,
"ErrorSourceService": "",
"HttpHeaders": "{}"
}
+ CategoryInfo : InvalidOperation: ({ DeviceEnrollm...Configuration }:) [], CimException
+ FullyQualifiedErrorId : Forbidden,Microsoft.Graph.Beta.PowerShell.Cmdlets.UpdateMgBetaDeviceManagementDeviceEnro
llmentConfiguration_Update
+ PSComputerName : localhost
VERBOSE: [SANDBOXHOST-638]: LCM: [ End Set ]
[[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] in
2.2570 seconds.
The PowerShell DSC resource '[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All
users and all devices' with SourceInfo 'C:\azp\agent\_work\1\s\tenantmanagement\Blueprints\DevicePlatformRestriction_Bl
ockPersonalDevices.ps1::14::9::IntuneDeviceEnrollmentPlatformRestriction' threw one or more non-terminating errors
while running the Set-TargetResource functionality. These errors are logged to the ETW channel called
Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : NonTerminatingErrorFromProvider
+ PSComputerName : localhost
VERBOSE: [SANDBOXHOST-638]: LCM: [ End Set ]
The SendConfigurationApply function did not succeed.
+ CategoryInfo : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : MI RESULT 1
+ PSComputerName : localhost
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 82.695 seconds
Environment Information + PowerShell Version
OsName : Microsoft Windows Server 2022 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture : 64-bit
WindowsVersion : 2009
WindowsBuildLabEx : 20348.859.amd64fre.fe_release_svc_prod2.220707-1832
OsLanguage : en-US
OsMuiLanguages : {en-US}
Key : PSVersion
Value : 5.1.20348.2652
Name : PSVersion
Key : PSEdition
Value : Desktop
Name : PSEdition
Key : PSCompatibleVersions
Value : {1.0, 2.0, 3.0, 4.0...}
Name : PSCompatibleVersions
Key : BuildVersion
Value : 10.0.20348.2652
Name : BuildVersion
Key : CLRVersion
Value : 4.0.30319.42000
Name : CLRVersion
Key : WSManStackVersion
Value : 3.0
Name : WSManStackVersion
Key : PSRemotingProtocolVersion
Value : 2.3
Name : PSRemotingProtocolVersion
Key : SerializationVersion
Value : 1.1.0.1
Name : SerializationVersion
