microsoftgraph
🪲 Cannot add or remove Registered Device Owner despite global admin and Device.ReadWrite.All
Describe the bug
I am trying to add and remove device owners using Add-EntraDeviceRegisteredOwner and Remove-EntraDeviceRegisteredOwner. But I am getting "Insufficient privileges to complete the operation." This is despite confirming that I am Global Administrator and have the Device.ReadWrite.All and Directory.ReadWrite.All scopes. (I can read the device owner fine.)
To Reproduce
Steps to reproduce the behavior: I am running version 1.0.7 of Entra (and I tested in Entra.Beta also)
- $device = Get-EntraDevice -SearchString 'win11'
- $owner = Get-EntraUser -UserId '[email protected]'
- Remove-EntraDeviceRegisteredOwner -DeviceId $device.Id -OwnerId $owner.id
- Error: Remove-MgDeviceRegisteredOwnerDirectoryObjectByRef_Delete: Insufficient privileges to complete the operation. Status: 403 (Forbidden) ErrorCode: Authorization_RequestDenied
Likewise:
- Add-EntraDeviceRegisteredOwner -DeviceId $device.Id -OwnerId $owner.id
- Error: New-MgDeviceRegisteredOwnerByRef_Create: Insufficient privileges to complete the operation. Status: 403 (Forbidden) ErrorCode: Authorization_RequestDenied
Expected behavior
I expect the owner of the device to actually change. Secondly, I want the error message to point to what permission is needed so I can activate that.
Debug Output
Debug Output
DEBUG: ============================ TRANSFORMATIONS ============================ DEBUG: Debug : True DEBUG: DirectoryObjectId : 0000 DEBUG: DeviceId : 0000 DEBUG: =========================================================================DEBUG: [CmdletBeginProcessing]: - Remove-MgDeviceRegisteredOwnerDirectoryObjectByRef begin processing with parameterSet 'Delete'. DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'. DEBUG: [Authentication]: - Scopes: [AdministrativeUnit.Read.All, AdministrativeUnit.ReadWrite.All, Device.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All, Group.Read.All, Group.ReadWrite.All, IdentityRiskEvent.Read.All, IdentityRiskyUser.ReadWrite.All, openid, Policy.Read.All, PrivilegedAccess.ReadWrite.AzureADGroup, PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup, profile, RoleAssignmentSchedule.ReadWrite.Directory, RoleEligibilitySchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory, RoleManagementPolicy.Read.AzureADGroup, RoleManagementPolicy.ReadWrite.AzureADGroup, Team.ReadBasic.All, TeamMember.Read.All, User.Read, User.Read.All, User.ReadWrite.All, email].
Confirm Are you sure you want to perform this action? Performing the operation "Remove-MgDeviceRegisteredOwnerDirectoryObjectByRef_Delete" on target "Call remote 'DELETE /devices/{device-id}/registeredOwners/{directoryObject-id}/$ref' operation". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y DEBUG: ============================ HTTP REQUEST ============================
HTTP Method: DELETE
Absolute Uri: https://graph.microsoft.com/v1.0/devices/0000/registeredOwners/0000/$ref
Headers: User-Agent : PowerShell/7.5.1,EntraPowershell/1.0.7,Remove-EntraDeviceRegisteredOwner FeatureFlag : 00000043 Cache-Control : no-store, no-cache Accept-Encoding : gzip SdkVersion : graph-powershell/2.25.0 client-request-id : 0000
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code: Forbidden
Headers: Cache-Control : no-cache Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : 0000 client-request-id : 0000 x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"US","Slice":"E","Ring":"4","ScaleUnit":"004","RoleInstance":"ABC"}} x-ms-resource-unit : 1 Date : Wed, 21 May 2025 15:38:05 GMT
Body: { "error": { "code": "Authorization_RequestDenied", "message": "Insufficient privileges to complete the operation.", "innerError": { "date": "2025-05-21T15:38:05", "request-id": "0000", "client-request-id": "0000" } } }
Remove-MgDeviceRegisteredOwnerDirectoryObjectByRef_Delete: Insufficient privileges to complete the operation. Status: 403 (Forbidden) ErrorCode: Authorization_RequestDenied Date: 2025-05-21T15:38:05 Headers: Cache-Control : no-cache Vary
: Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : 0000 client-request-id : 0000
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"US","Slice":"E","Ring":"4","ScaleUnit":"004","RoleInstance":"ABC"}} x-ms-resource-unit : 1 Date
: Wed, 21 May 2025 15:38:05 GMT
Recommendation: See service error codes: https://learn.microsoft.com/graph/errors DEBUG: [CmdletEndProcessing]: - Remove-MgDeviceRegisteredOwnerDirectoryObjectByRef end processing.
And the debug output of "add" is the same except it calls New-MgDeviceRegisteredOwnerByRef_Create.
Module Version
ModuleType Version Name
Script 1.0.7 Microsoft.Entra.Authentication
Script 1.0.7 Microsoft.Entra.Beta.Applications
Script 1.0.7 Microsoft.Entra.Beta.Authentication
Script 1.0.7 Microsoft.Entra.Beta.DirectoryManagement
Script 1.0.7 Microsoft.Entra.Beta.Users
Script 1.0.7 Microsoft.Entra.DirectoryManagement
Script 1.0.7 Microsoft.Entra.Users
Environment Data
Name Value
PSVersion 7.5.1 PSEdition Core GitCommitId 7.5.1 OS Microsoft Windows 10.0.22631 Platform Win32NT PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0
Screenshots
Additional context
Try using the Scope Directory.AccessAsUser.All
Reference https://learn.microsoft.com/en-us/powershell/module/microsoft.entra/remove-entradeviceregisteredowner?view=entra-powershell#example-1-remove-an-owner-from-a-device
That did the trick. Thanks! Is there any way the output of the error can reveal or hint at what permission is needed to make the function work?