Last Updated on July 27, 2024 by rudyooms

This short blog will be about a question I received on Linkedin. The question was about Graph Explorer and why it wasn’t returning the OMA-URI values configured. It only showed some nice **** (IsEncrypted Value)

1. Replicating the Problem

If we need to fix the problem, we need to experience the problem ourselves. To start replicating the problem I opened the graph explorer first.

Graph Explorer is an excellent tool when you are starting with creating Graph API requests. So the tool can be used when you need to check some settings.

Let’s take a look at what settings are returned when we run this query.

https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/99b324ca-937e-4494-ac54-b06d889b04e8

As shown above, the value has some nice **** instead of the real values. So what’s happening?

2. What’s Happening?

When taking another good look at the screenshot above, you could also have noticed another funny setting: “IsEncrypted”: True

Please Note: The Isencrypted and SecretReferencevalueid are only shown in the Beta version and not in the V1.0 of Graph

I guess it’s obvious what “isencrypted” means when it’s configured to 1. If not… the official documentation says the value field is encrypted.

So, Microsoft has suddenly switched the default value of isencrypted to 1 last month? I guess I missed that announcement? But okay, no problem… Encryption is always a good thing. How are we going to decrypt it?

When looking at the outcome of the query, we also noticed the “Secretreferencevalueid” in it.

Okay… So we can use this “id/key” to decrypt the oma settings value. But luckily there is no official documentation to tell us how?

Looking back at the wonderful history of GitHub commits, I noticed the “isencrypted” and the needed “secretreferencevalueid” appeared in the commit from 14 April

Okay, but how are we going to get back the URI we need? Fiddler to the rescue! When we need some more information about what happens when we are configuring Intune, we need to use fiddler. If you want to know how it works, please visit this blog.

So what does the URI look like?

I guess we have everything we need now, let’s create a PowerShell script to get back the values ourselves.

PLEASE NOTE: Uploading new device configuration policies with PowerShell is totally not a problem, as long as you don’t add the “isencrypted” key etc. So when you have a backup of your Intune tenant and the “isencrypted” part is in it, remove it!

Take a look at my GitHub enrollment page for some examples

Enrollment/Windows10_TimeZone.json at main · Call4cloud/Enrollment (github.com)

3. Fixing the problem

And the PowerShell script with all the stuff in it, we discussed in this blog. Please test it out yourself but don’t forget to change the device configuration ID to your liking

$authResult = Get-MsalToken -ClientId 'd1ddf0e4-d672-4dae-b554-9d5bdfd93547' -Scopes 'https://graph.microsoft.com/.default'
$headers1b = @{
'Content-Type'='application/json'
'Authorization'="Bearer " + $authResult.AccessToken
'ExpiresOn'=$authResult.ExpiresOn
}

$deviceconfigid = "99b324ca-937e-4494-ac54-b06d889b04e8"

#get the device configuration
$url = "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/$deviceconfigid"
$deviceconfiguration = Invoke-RestMethod -Uri $url -Headers $headers1b -Method get

#get the secretid needed to unencrypt the data
$secretid = $deviceconfiguration.omasettings.secretReferenceValueId

#parsing the secretid to unencrypt it
$Value = Invoke-restmethod -Headers $headers1b -Method get -uri "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/$deviceConfigid/getOmaSettingPlainTextValue(secretReferenceValueId='$($secretid)')"
$value | fl

4. Application VS Delegated Permissions

The day after this blog, I received another question about this nice problem: “Why doesn’t it work with an App Registration”

First, we need to know the difference between the script I used and the script that didn’t work. Let’s take a look at the possible Graph Permissions.

So when getting the token with the script I used, you will be using Delegated permissions because I am accessing it by signing in with a username/password and using the Microsoft Intune PowerShell App with the well known d1ddf0e4-d672-4dae-b554-9d5bdfd93547 id.

When you use this script below, you are “Application Permissions” because it doesn’t prompt you to login but uses the clientid and clientsecret to login.

#Define Client Variables Here
#############################
$TenantName = "*****"
$clientID = "*****"
$clientSecret = "*******"
$Scope = "https://graph.microsoft.com/.default"

#Define deviceconfig here
#############################
$deviceconfigid = "99b324ca-937e-4494-ac54-b06d889b04e8" 

#Construct Auth call to get Access Token 
#########################################
$Body = @{
    Grant_Type = "client_credentials"
    Scope = $Scope
    client_Id = $clientID
    Client_Secret = $clientSecret
}
$authUri = "https://login.microsoftonline.com/$TenantName/oauth2/v2.0/token"
  
$TokenResponse = 
Invoke-RestMethod -Uri $authUri -Method POST -Body $Body
$token = $tokenresponse.Access_token

There normally should be no difference but the Application App PowerShell script will return a (403) Not authorized error when you try to get back the omasettings value.

Looking at it with Fiddler, you will notice a weird not googleable error: UnknownInConvertApiError

So we can assume that running the same script with a token with Delegated permissions works but it fails when running the same script with a token with Application permissions!

So what else can we do? If you want to automate the backup of your Intune tenant and you need to use an App Reg to do it, you could add a user for delegated permissions in the body.

$client_id = "*"
$client_secret = "*"
$tenant_id = "*"
$resource = "https://graph.microsoft.com"
$authority = "https://login.microsoftonline.com/$tenant_id"
$tokenEndpointUri = "$authority/oauth2/token"

$UserForDelegatedPermissions="*"
$Password="*" 


$content = "grant_type=password&client_id=$client_id&client_secret=$client_secret&username=$UserForDelegatedPermissions&password=$Password&prompt=admin_consent&resource=$resource";
$response = Invoke-RestMethod -Uri $tokenEndpointUri -Body $content -Method Post -UseBasicParsing
    
$access_token = $response.access_token

$headers1b = @{
'Content-Type'='application/json'
'Authorization'="Bearer " + $Access_token
'ExpiresOn'=$response.Expires_On
}

Hopefully, we can get back a good answer as to why it isn’t working with Application Permissions… So stay tuned!

5. Microsoft has Fixed the Application Permissions Issue

Yes!!! Microsoft has fixed the problem with the UnknownConvertApiError when you want to return the encrypted oma settings value.

Of course, I did a test run myself… As shown below, it returned the proper values now!

6. I guess Microsoft didn’t fix all the Application Permissions!

When you are using automation to get the device reports like mentioned in this MS Doc below, you are also going to end up with a nice new error

Use Graph APIs to export Intune Reports | Microsoft Docs

This is the code I used to generate the CSV for the device reports

#get the token
$token = Get-MsalToken -ClientId '*' -ClientSecret (ConvertTo-SecureString '*' -AsPlainText -Force) -TenantId '*' -Scope 'https://graph.microsoft.com/.default'
$headers1b = @{
            'Content-Type'='application/json'
          'Authorization'="Bearer " + $token.AccessToken
        'ExpiresOn'=$token.ExpiresOn
          }

#get the device configuration
$url = "https://graph.microsoft.com/beta/deviceManagement/reports/exportJobs"
$body =
@'
{"reportName":"Devices","filter":"(OwnerType eq '1')","localizationType":"LocalizedValuesAsAdditionalColumn","select":["DeviceName","managementAgent","ownerType","complianceState","OS","OSVersion","LastContact","UPN","DeviceId"]}
'@
 

$deviceconfiguration = Invoke-RestMethod -Uri $url -Headers $headers1b -Method post -body $body

And the error I got: CustomApiErrorPhrase .

That’s not good at all.. when you need to have the reports generated now, you could use the script I mentioned earlier, to pass a user with credentials for the delegated permissions.

Conclusion:

When do I need to choose between spending my free evening watching some series or helping someone with a question I don’t have the answer to? (at that time)

I guess you all know what my choice was.