Merge pull request #4664 from andrew-s-taylor/patch-6

Update create-assigned-device-group.md
MicrosoftDocs · Nov 20, 2024 · 0999f45 · 0999f45
2 parents 17be152 + 576ba0d
commit 0999f45
Showing 1 changed file with 59 additions and 14 deletions.
diff --git a/autopilot/includes/create-assigned-device-group.md b/autopilot/includes/create-assigned-device-group.md
@@ -5,7 +5,7 @@ manager: aaroncz
 ms.subservice: autopilot
 ms.service: windows-client
 ms.topic: include
-ms.date: 06/27/2024
+ms.date: 11/20/2024
 ms.localizationpriority: medium
 ---
 
@@ -57,28 +57,73 @@ Headings are driven by article context. -->
 
 If the **Intune Provisioning Client** service principal with AppId **f1346770-5b25-470b-88bd-d5744ab7952c** isn't available when selecting the owner of the device group, then follow these steps to add the service principal:
 
-1. On a device where Microsoft Intune or Microsoft Entra ID is normally administered, open a **Windows PowerShell** command prompt.
+1. On a device where Microsoft Intune or Microsoft Entra ID is normally administered, open an elevated **Windows PowerShell** command prompt.
 
 1. In the **Windows PowerShell** command prompt window:
 
-   1. Install the **azuread** module by entering the following command:
+    1. Install the **Microsoft.Graph.Authentication** module by entering the following command:
 
-        ```powershell
-        Install-Module azuread
-        ```
+       ```powershell
+       Install-Module Microsoft.Graph.Authentication
+       ```
 
-        If prompted to do so, agree to install **NuGet** and the **azuread** module from the **PSGallery**.
+       If prompted to do so:
 
-   1. Once the **azuread** module is installed, connect to Microsoft Entra ID by entering the following command:
+       - Agree to install **NuGet** by entering **Y** or **Yes**, or selecting the **Yes** button.
+       - Agree to install from the **PSGallery** untrusted repository by entering **Y** or **Yes**, or selecting the **Yes** button.
 
-        ```powershell
-        Connect-AzureAD
-        ```
+       For more information, see [Microsoft.Graph.Authentication](/powershell/module/microsoft.graph.authentication/) and [Set-PSRepository -InstallationPolicy](/powershell/module/powershellget/set-psrepository#-installationpolicy).
+
+    1. Install the **Microsoft.Graph.Applications** module by entering the following command:
+
+       ```powershell
+       Install-Module Microsoft.Graph.Applications
+       ```
+
+       If prompted to do so, agree to install from the **PSGallery** untrusted repository by entering **Y** or **Yes**, or selecting the **Yes** button.
 
-   1. If not already authenticated to Microsoft Entra ID, the **Sign in to your account** window appears. Enter the credentials of a Microsoft Entra ID administrator that has permissions to add service principals.
+       For more information, see [Microsoft.Graph.Applications](/powershell/module/microsoft.graph.applications/) and [Set-PSRepository -InstallationPolicy](/powershell/module/powershellget/set-psrepository#-installationpolicy).
 
-   1. Once authenticated to Microsoft Entra ID, add the **Intune Provisioning Client** service principal by entering the following command:
+    1. Once the **Microsoft.Graph.Authentication** and **Microsoft.Graph.Applications** modules are installed, connect to Microsoft Entra ID by entering the following command:
+
+       ```powershell
+       Connect-MgGraph -Scopes "Application.ReadWrite.All"
+       ```
+
+       For more information, see [Connect-MgGraph](/powershell/module/microsoft.graph.authentication/connect-mggraph).
+
+    1. If not already authenticated to Microsoft Entra ID, the **Sign in to your account** window appears. Enter the credentials of a Microsoft Entra ID administrator that has permissions to add service principals.
+
+    1. If the **Permissions requested** window appears, select the **Consent on behalf of your organization** checkbox, and then select the **Accept** button.
+
+    1. Once authenticated to Microsoft Entra ID and proper permissions are granted, add the **Intune Provisioning Client** service principal by entering the following command:
 
         ```powershell
-        New-AzureADServicePrincipal -AppId f1346770-5b25-470b-88bd-d5744ab7952c
+        New-MgServicePrincipal -AppID f1346770-5b25-470b-88bd-d5744ab7952c
         ```
+
+        For more information, see [New-MgServicePrincipal -BodyParameter](/powershell/module/microsoft.graph.applications/new-mgserviceprincipal#-bodyparameter).
+
+        > [!NOTE]
+        >
+        > - The following error message is displayed if the **Intune Provisioning Client service principal** already exists in the tenant:
+        >
+        >   ```powershell
+        >   New-MgServicePrincipal : The service principal cannot be created, updated, or restored because the service principal name 
+        >   f1346770-5b25-470b-88bd-d5744ab7952c is already in use.
+        >   Status: 409 (Conflict)
+        >   ErrorCode: Request_MultipleObjectsWithSameKeyValue
+        >   ```
+        >
+        > - The following error message is displayed if one of the following conditions is true:
+        >
+        >   - The account used to sign in with the `Connect-MgGraph` command doesn't have permissions to add a service principal to the tenant.
+        >   - The `-Scopes "Application.ReadWrite.All"` argument isn't added to the `Connect-MgGraph` command.
+        >   - The **Permissions requested** window isn't accepted.
+        >   - The **Consent on behalf of your organization** checkbox isn't selected in the **Permissions requested** window.
+        >
+        >   ```powershell
+        >   New-MgServicePrincipal : Insufficient privileges to complete the operation.
+        >   Status: 403 (Forbidden)
+        >   ErrorCode: Authorization_RequestDenied
+        >   ```