Search code examples
azure-active-directoryazure-ad-graph-apimdm

MDM (not Intune) cannot report compliance status (to Azure AD) of a device currenctly being managed

I have succesfully enrolled a Device (Windows 10 Pro Version 1803) to our own MDM by authenticating an Azure AD user. Next I have to tell Azure AD that the device is managed by our MDM and that is where the problem happens.

The patch that I do is the same like in the documentation https://learn.microsoft.com/en-us/windows/client-management/mdm/azure-active-directory-integration-with-mdm#report-device-compliance-to-azure-ad

The error I got is Resource 'xyz' does not exist or one of its queried reference-property objects are not present.

What I have done so far is:

  1. On Azure AD Portal I added an MDM OnPremise App, set its Terms Of Use URL, Discovery URL, generate a secret. Also configured MDM User scope to Some and selected a group where my users are member of.
  2. On Required persimision I verified that "Read and write devices" under "Application Permissions" is checked.
  3. The user authenticates (using Azure AD crendentials), accepts Terms of Use (of the MDM) and voilá all fine. That is done on the device under Settings => Accounts => Access work or school => + Connect.
  4. During the enrollment, I parse the Bearer Token and extract the Device ID (e.g. xyz), which is the same as the one on the Azure AD portal once the device succesfully managed.
  5. To report compliance status I do a patch like this

PATCH https://graph.windows.net/mytenant.onmicrosoft.com/devices/xyz?api-version=1.0 HTTP/1.1 Authorization: Bearer eyJ0eXAiO……… Accept: application/json Content-Type: application/json { "isManaged":true, "isCompliant":true }

But I got the error described above.

I have tested as well different Device Ids such as

  • the one Windows 10 shows on Settigns => System => About.

  • Or the one that is present on the element ContextItem attribute DeviceID on the Request Security Token request during enrollment.

    The bearer token I use on the patch above is retrieved from microsoft graph when the registered MDM app (using its credentials such as appid, secret, etc) authenticates it self to Azure AD.

Whould you please help me to find the source of this error, or maybe give me some hints in order to solve this. I'd apreciate it a lot.

Thanks in advance.

Solution

  • The deviceId of a Device object in Azure AD is often confused with the object's objectId attribute. (The latter is known as objectId in Azure AD Graph, and as id in Microsoft Graph. In both cases, deviceId is a different property.)

    In a GET request for a single Device object with Azure AD Graph:

    GET https://graph.windows.net/{tenant-id}/devices/{object-id}

    The field identified by {object-id} is not the deviceId attribute of the Device object, it's the objectId attribute.

    If you don't already have the Device object's objectId value, but you do have the deviceId, you can use either Azure AD Graph or Microsoft Graph to do the appropriate lookup. With Azure AD Graph:

    GET https://graph.windows.net/{tenant-id}/devices?$filter=deviceId eq '{device-id}'

    With Microsoft Graph, you would use:

    GET https://graph.microsoft.com/v1.0/devices?$filter=deviceId eq '{device-id}'