Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] - ReadWrite permissions requirement for backup #140

Closed
gmenziesint opened this issue Oct 23, 2023 · 2 comments
Closed

[BUG] - ReadWrite permissions requirement for backup #140

gmenziesint opened this issue Oct 23, 2023 · 2 comments
Labels
bug Something isn't working

Comments

@gmenziesint
Copy link

Describe the bug
Hi,

We're currently testing out this package and it definitely fits all of our needs, you've done a great job!

We're running into a permissions error when attempting to just backup our tenant, we would expect to just need read only permissions for the backup as we don't intend to use the export functionality currently. We've excluded Conditional Access and to complete the backup we have to exclude Profiles which is what it seems to be failing on.

Below is the permissions we have for the app registration -

image

Below is the error we get

Exception("Request failed with ", response.status_code, " - ", response.text) Exception: ('Request failed with ', 403, ' - ', '{"error":{"code":"Forbidden","message":"{\\r\\n \\"_version\\": 3,\\r\\n \\"Message\\": \\"Application is not authorized to perform this operation. Application must have one of the following scopes: DeviceManagementConfiguration.ReadWrite.All - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 420eb042-0974-432a-b551-3eaf2c3a33e3 - Url: https://fef.msua02.manage.microsoft.com/DeviceConfiguration_2310/StatelessDeviceConfigurationFEService/deviceManagement/deviceConfigurations(\'a6a32106-002b-4c6f-83b1-288291c1a726\')

To Reproduce
App registration with read only permissions as described above.

The command we are using is this -
IntuneCD-startbackup -m 1 -a 'C:\\Users\gmenzies\\Auth.JSON' -p 'C:\\Users\\gmenzies\\IntuneBackup' -e ConditionalAccess --append-id

Expected behavior
I expect that the backup should complete with only read only permissions and read write is a requirement for the import functionality.

Screenshots
If applicable, add screenshots to help explain your problem.

Run type (please complete the following information):

  • Mode: [e.g. 0 or 1] - Mode 1
  • Client [e.g. Pipeline, local machine] - Local Machine
  • Version [e.g. 1.0.2] - Version 2.02

Additional context
Add any other context about the problem here.
@gmenziesint gmenziesint added the bug Something isn't working label Oct 23, 2023
@almenscorner
Copy link
Owner

Hi Greig,

Thank you very much!

For some reason Microsoft has decided that DeviceManagementConfiguration requires both read and write when exporting certain configurations. It is out of my hands to change this so that specific scope works with read only unfortunately

@gmenziesint
Copy link
Author

Hi Greig,

Thank you very much!

For some reason Microsoft has decided that DeviceManagementConfiguration requires both read and write when exporting certain configurations. It is out of my hands to change this so that specific scope works with read only unfortunately

Thanks for replying so promptly, I'll raise it to Microsoft then, seems silly that read write is required for it. Thanks for your help!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@almenscorner @gmenziesint