My ultimate goal is to use a PowerShell script create an App Protection and assign it. Everything works except assignment, so I am using Graph Explorer to determine the correct syntax to assign the policy. Every scenario fails with "No method match route template". Permissions have been verified. The policy and group IDs have been verified. Any help is welcome.
Following is the Response Preview of a policy with assignment.
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#deviceAppManagement/androidManagedAppProtections('{ID}')/assignments",
"value": [
{
"id": "cb16bf46-1479-45b2-8221-2f4c5cada212_incl",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"groupId": "{ID}"
}
}
]
}
For the policy I want to assign, GET retrieves the correct information. Currently there is no assignment. Below is an example. This is the response with every syntax used for the request body. The different options tried are at the bottom.
GET https://graph.microsoft.com/v1.0/deviceAppManagement/androidManagedAppProtections/{ID}/assignments/
Response Preview
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#deviceAppManagement/androidManagedAppProtections('T_3cf871f9-9a39-46da-b776-1c5b2c13da48')/assignments",
"@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET deviceAppManagement/androidManagedAppProtections('<key>')/assignments?$select=target",
"value": []
}
POST https://graph.microsoft.com/v1.0/deviceAppManagement/androidManagedAppProtections/{ID}/assignments/
Request Body
{
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"groupId": "{ID}"
}
}
Response Preview
{
"error": {
"code": "No method match route template",
"message": "No OData route exists that match template ~/singleton/navigation/key/navigation with http verb POST for request /MAMAdmin_2412/MAMAdminFEService/deviceAppManagement/androidManagedAppProtections('{ID}')/assignments.",
"innerError": {
"date": "{DATE}",
"request-id": "{ID}",
"client-request-id": "{ID}"
}
}
}
Here the request bodies tried so far.
#1
{
"assignments": [
{
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"groupId": "{ID}"
}
}
]
}
#2
{
"assignments": [
{
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"target": {
"groupId": "{ID}"
}
}
]
}
#3
{
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"groupId": "{ID}"
}
}
#4
{
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"target": {
"groupId": "{ID}"
}
}
#5
{
"@odata.type": "#microsoft.graph.targetedManagedAppPolicyAssignment",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"groupId": "{ID}"
}
}
#6
{
"assignments": [
{
"@odata.type": "#microsoft.graph.targetedManagedAppPolicyAssignment",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"groupId": "{ID}"
}
}
]
}
#7
{
"assignments": [
{
"@odata.type": "#microsoft.graph.deviceAndAppManagementAssignmentTarget",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"groupId": "{ID}"
}
}
]
}
#8
{
"@odata.type": "#microsoft.graph.deviceAndAppManagementAssignmentTarget",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"groupId": "{ID}"
}
}
#9
{
"value": [
{
"@odata.type": "#microsoft.graph.deviceAndAppManagementAssignmentTarget",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"groupId": "{ID}"
}
}
]
}
#10
{
"value": [
{
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"groupId": "{ID}"
}
}
]
}
The endpoint URL for adding assignments to app protection policies is:
POST https://graph.microsoft.com/beta/deviceAppManagement/androidManagedAppProtections/{ID}/assign
Note the difference at the end of the URL: /assign, not /assignment.