msgraph-sdk-powershell
msgraph-sdk-powershell copied to clipboard
microsoftgraph
Cannot add or remove Registered Device Owner despite global admin and Device.ReadWrite.All
Describe the bug
I am trying to add and remove device owners using New-MgDeviceRegisteredOwnerByRef and Remove-MgDeviceRegisteredOwnerDirectoryObjectByRef. But I am getting "Insufficient privileges to complete the operation." This is despite confirming that I am Global Administrator and have the Device.ReadWrite.All and Directory.ReadWrite.All scopes. (I can read the device owner fine.)
Expected behavior
I expect the owner of the device to actually change. Secondly, I want the error message to point to what permission is needed so I can activate that.
How to reproduce
$ownermg = Get-MgUser -UserId "[email protected]"
$devicemg = Get-MgDevice -Filter "displayName eq 'win11'"
(Get-MgUser -UserId (Get-MgDeviceRegisteredOwner -DeviceId $devicemg.id).id) | Select-Object DisplayName, UserPrincipalName
New-MgDeviceRegisteredOwnerByRef -DeviceId $devicemg.id -BodyParameter @{ "@odata.id" = "https://graph.microsoft.com/v1.0/users/$($ownermg.id)" } -Debug
{error insufficient privileges}
Remove-MgDeviceRegisteredOwnerDirectoryObjectByRef -DeviceId $devicemg.id -DirectoryObjectId $ownermg.id -Debug
{error insufficient privileges}
SDK Version
2.25.0 and 2.28.0
Latest version known to work for scenario above?
n/a
Known Workarounds
none
Debug output
Click to expand log for "add/new"
DEBUG: [CmdletBeginProcessing]: - New-MgDeviceRegisteredOwnerByRef begin processing with parameterSet 'Create'.
DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'.
DEBUG: [Authentication]: - Scopes: [AdministrativeUnit.Read.All, AdministrativeUnit.ReadWrite.All, Device.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All, Group.Read.All, Group.ReadWrite.All, IdentityRiskEvent.Read.All, IdentityRiskyUser.ReadWrite.All, openid, Policy.Read.All, PrivilegedAccess.ReadWrite.AzureADGroup, PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup, profile, RoleAssignmentSchedule.ReadWrite.Directory, RoleEligibilitySchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory, RoleManagementPolicy.Read.AzureADGroup, RoleManagementPolicy.ReadWrite.AzureADGroup, Team.ReadBasic.All, TeamMember.Read.All, User.Read, User.Read.All, User.ReadWrite.All, email].
Confirm
Are you sure you want to perform this action?
Performing the operation "New-MgDeviceRegisteredOwnerByRef_Create" on target "Call remote 'POST /devices/{device-id}/registeredOwners/$ref' operation".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
POST
Absolute Uri:
https://graph.microsoft.com/v1.0/devices/{guid}/registeredOwners/$ref
Headers:
FeatureFlag : 00000003
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.22631; en-US),PowerShell/2025.0.0
SdkVersion : graph-powershell/2.28.0
client-request-id : {guid}
Accept-Encoding : gzip,deflate,br
Body:
{
"@odata.id": "https://graph.microsoft.com/v1.0/users/{guid}"
}
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Forbidden
Headers:
Cache-Control : no-cache
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : {guid}
client-request-id : {guid}
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"US","Slice":"E","Ring":"4","ScaleUnit":"002","RoleInstance":"CH01"}}
x-ms-resource-unit : 1
Date : Wed, 21 May 2025 16:58:02 GMT
Body:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2025-05-21T16:58:02",
"request-id": "{guid}",
"client-request-id": "{guid}"
}
}
}
New-MgDeviceRegisteredOwnerByRef_Create: Insufficient privileges to complete the operation.
Status: 403 (Forbidden)
ErrorCode: Authorization_RequestDenied
Date: 2025-05-21T16:58:02
Headers:
Cache-Control : no-cache
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : {guid}
client-request-id : {guid}
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"US","Slice":"E","Ring":"4","ScaleUnit":"002","RoleInstance":"CH01"}}
x-ms-resource-unit : 1
Date : Wed, 21 May 2025 16:58:02 GMT
Recommendation: See service error codes: https://learn.microsoft.com/graph/errors
DEBUG: [CmdletEndProcessing]: - New-MgDeviceRegisteredOwnerByRef end processing.
Click to expand log for "remove"
DEBUG: [CmdletBeginProcessing]: - Remove-MgDeviceRegisteredOwnerDirectoryObjectByRef begin processing with parameterSet 'Delete'.
DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'.
DEBUG: [Authentication]: - Scopes: [AdministrativeUnit.Read.All, AdministrativeUnit.ReadWrite.All, Device.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All, Group.Read.All, Group.ReadWrite.All, IdentityRiskEvent.Read.All, IdentityRiskyUser.ReadWrite.All, openid, Policy.Read.All, PrivilegedAccess.ReadWrite.AzureADGroup, PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup, profile, RoleAssignmentSchedule.ReadWrite.Directory, RoleEligibilitySchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory, RoleManagementPolicy.Read.AzureADGroup, RoleManagementPolicy.ReadWrite.AzureADGroup, Team.ReadBasic.All, TeamMember.Read.All, User.Read, User.Read.All, User.ReadWrite.All, email].
Confirm
Are you sure you want to perform this action?
Performing the operation "Remove-MgDeviceRegisteredOwnerDirectoryObjectByRef_Delete" on target "Call remote 'DELETE /devices/{device-id}/registeredOwners/{directoryObject-id}/$ref' operation".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
DELETE
Absolute Uri:
https://graph.microsoft.com/v1.0/devices/{guid}/registeredOwners/{guid}/$ref
Headers:
FeatureFlag : 00000003
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.22631; en-US),PowerShell/2025.0.0
SdkVersion : graph-powershell/2.28.0
client-request-id : {guid}
Accept-Encoding : gzip,deflate,br
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Forbidden
Headers:
Cache-Control : no-cache
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : {guid}
client-request-id : {guid}
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"US","Slice":"E","Ring":"4","ScaleUnit":"002","RoleInstance":"CH01"}}
x-ms-resource-unit : 1
Date : Wed, 21 May 2025 16:58:09 GMT
Body:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2025-05-21T16:58:10",
"request-id": "{guid}",
"client-request-id": "{guid}"
}
}
}
Remove-MgDeviceRegisteredOwnerDirectoryObjectByRef_Delete: Insufficient privileges to complete the operation.
Status: 403 (Forbidden)
ErrorCode: Authorization_RequestDenied
Date: 2025-05-21T16:58:10
Headers:
Cache-Control : no-cache
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : {guid}
client-request-id : {guid}
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"US","Slice":"E","Ring":"4","ScaleUnit":"002","RoleInstance":"CH01"}}
x-ms-resource-unit : 1
Date : Wed, 21 May 2025 16:58:09 GMT
Recommendation: See service error codes: https://learn.microsoft.com/graph/errors
DEBUG: [CmdletEndProcessing]: - Remove-MgDeviceRegisteredOwnerDirectoryObjectByRef end processing.
Configuration
- OS: Windows 11 x64
- no docker
- PSVersion 7.5.1
- PSEdition Core
- GitCommitId 7.5.1
- OS Microsoft Windows 10.0.22631
- Platform Win32NT
- PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
- PSRemotingProtocolVersion 2.3
- SerializationVersion 1.1.0.1
- WSManStackVersion 3.0
Other information
No response
See https://github.com/microsoftgraph/entra-powershell/issues/1478#issuecomment-2903766173 The permission needed to remove is Directory.AccessAsUser.All Is there any way the output of the error can reveal or hint at what permission is needed to make the function work?