Get-IntuneManagedDevice fails to return devices with an implied "Default" scope tag
treestryder opened this issue · 0 comments
We explicitly assign a scope tag to a group of devices. When looking at the properties of these devices they only show the assigned Scope Tag, not the implied "Default" scope tag.
This works fine in the UI, for myself with rights to all Scope Tags and for those with rights to just the "Default" Scope Tag.
https://endpoint.microsoft.com/#blade/Microsoft_Intune_Devices/DeviceSettingsMenuBlade/properties/mdmDeviceId/8769c25f-0513-4df3-ba44-72bc2e627882/primaryUserId/01c165f1-0dea-4056-8765-3140d8fb0752
However, ran with my full admin account, the Powershell commands Get-IntuneManagedDevice and Get-DeviceManagement_ManagedDevices fail to find these devices with the special Scope Tag, until the "Default" is added to them.
Get-IntuneManagedDevice -managedDeviceId '01c165f1-0dea-4056-8765-3140d8fb0752'
Get-IntuneManagedDevice : 404 Not Found
{"error":{"code":"ResourceNotFound","message":"{\r\n \"_version\": 3,\r\n \"Message\": \"Resource does not contain a tag allowed by the current role. - Operation ID (for customer support):
00000000-0000-0000-0000-000000000000 - Activity ID: 985f047b-47bd-4312-9542-73f313b0ee72 - Url:
https://fef.msua04.manage.microsoft.com/DeviceFE/StatelessDeviceFEService/deviceManagement/managedDevices%28%2701c165f1-0dea-4056-8765-3140d8fb0752%27%29?api-version=2021-04-07\",\r\n
\"CustomApiErrorPhrase\": \"\",\r\n \"RetryAfter\": null,\r\n \"ErrorSourceService\": \"\",\r\n \"HttpHeaders\":
\"{}\"\r\n}","innerError":{"date":"2022-02-03T19:35:15","request-id":"985f047b-47bd-4312-9542-73f313b0ee72","client-request-id":"985f047b-47bd-4312-9542-73f313b0ee72"}}}
At line:1 char:1
+ Get-IntuneManagedDevice -managedDeviceId '01c165f1-0dea-4056-8765-314 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ConnectionError: (@{Request=; Response=}:PSObject) [Get-DeviceManagement_ManagedDevices], HttpRequestException
+ FullyQualifiedErrorId : PowerShellGraphSDK_HttpRequestError,Microsoft.Intune.PowerShellGraphSDK.PowerShellCmdlets.Get_DeviceManagement_ManagedDevices
I accidently disabled a batch of Azure AD objects that I thought did not have a corresponding Intune object, because these same devices are not included in a full device export.
Is there a way to export ALL devices, no matter their scope tags? Or, could this be a bug?
Sorry, I had forgotten that this was on GitHub and opened a support case with the Intune team (29569402) and created a ServerFault question.