diff --git a/autopilot/includes/create-assigned-device-group.md b/autopilot/includes/create-assigned-device-group.md index 2b4edc32041..538e42512ea 100644 --- a/autopilot/includes/create-assigned-device-group.md +++ b/autopilot/includes/create-assigned-device-group.md @@ -5,7 +5,7 @@ manager: aaroncz ms.subservice: autopilot ms.service: windows-client ms.topic: include -ms.date: 06/27/2024 +ms.date: 11/20/2024 ms.localizationpriority: medium --- @@ -57,28 +57,73 @@ Headings are driven by article context. --> If the **Intune Provisioning Client** service principal with AppId **f1346770-5b25-470b-88bd-d5744ab7952c** isn't available when selecting the owner of the device group, then follow these steps to add the service principal: -1. On a device where Microsoft Intune or Microsoft Entra ID is normally administered, open a **Windows PowerShell** command prompt. +1. On a device where Microsoft Intune or Microsoft Entra ID is normally administered, open an elevated **Windows PowerShell** command prompt. 1. In the **Windows PowerShell** command prompt window: - 1. Install the **azuread** module by entering the following command: + 1. Install the **Microsoft.Graph.Authentication** module by entering the following command: - ```powershell - Install-Module azuread - ``` + ```powershell + Install-Module Microsoft.Graph.Authentication + ``` - If prompted to do so, agree to install **NuGet** and the **azuread** module from the **PSGallery**. + If prompted to do so: - 1. Once the **azuread** module is installed, connect to Microsoft Entra ID by entering the following command: + - Agree to install **NuGet** by entering **Y** or **Yes**, or selecting the **Yes** button. + - Agree to install from the **PSGallery** untrusted repository by entering **Y** or **Yes**, or selecting the **Yes** button. - ```powershell - Connect-AzureAD - ``` + For more information, see [Microsoft.Graph.Authentication](/powershell/module/microsoft.graph.authentication/) and [Set-PSRepository -InstallationPolicy](/powershell/module/powershellget/set-psrepository#-installationpolicy). + + 1. Install the **Microsoft.Graph.Applications** module by entering the following command: + + ```powershell + Install-Module Microsoft.Graph.Applications + ``` + + If prompted to do so, agree to install from the **PSGallery** untrusted repository by entering **Y** or **Yes**, or selecting the **Yes** button. - 1. If not already authenticated to Microsoft Entra ID, the **Sign in to your account** window appears. Enter the credentials of a Microsoft Entra ID administrator that has permissions to add service principals. + For more information, see [Microsoft.Graph.Applications](/powershell/module/microsoft.graph.applications/) and [Set-PSRepository -InstallationPolicy](/powershell/module/powershellget/set-psrepository#-installationpolicy). - 1. Once authenticated to Microsoft Entra ID, add the **Intune Provisioning Client** service principal by entering the following command: + 1. Once the **Microsoft.Graph.Authentication** and **Microsoft.Graph.Applications** modules are installed, connect to Microsoft Entra ID by entering the following command: + + ```powershell + Connect-MgGraph -Scopes "Application.ReadWrite.All" + ``` + + For more information, see [Connect-MgGraph](/powershell/module/microsoft.graph.authentication/connect-mggraph). + + 1. If not already authenticated to Microsoft Entra ID, the **Sign in to your account** window appears. Enter the credentials of a Microsoft Entra ID administrator that has permissions to add service principals. + + 1. If the **Permissions requested** window appears, select the **Consent on behalf of your organization** checkbox, and then select the **Accept** button. + + 1. Once authenticated to Microsoft Entra ID and proper permissions are granted, add the **Intune Provisioning Client** service principal by entering the following command: ```powershell - New-AzureADServicePrincipal -AppId f1346770-5b25-470b-88bd-d5744ab7952c + New-MgServicePrincipal -AppID f1346770-5b25-470b-88bd-d5744ab7952c ``` + + For more information, see [New-MgServicePrincipal -BodyParameter](/powershell/module/microsoft.graph.applications/new-mgserviceprincipal#-bodyparameter). + + > [!NOTE] + > + > - The following error message is displayed if the **Intune Provisioning Client service principal** already exists in the tenant: + > + > ```powershell + > New-MgServicePrincipal : The service principal cannot be created, updated, or restored because the service principal name + > f1346770-5b25-470b-88bd-d5744ab7952c is already in use. + > Status: 409 (Conflict) + > ErrorCode: Request_MultipleObjectsWithSameKeyValue + > ``` + > + > - The following error message is displayed if one of the following conditions is true: + > + > - The account used to sign in with the `Connect-MgGraph` command doesn't have permissions to add a service principal to the tenant. + > - The `-Scopes "Application.ReadWrite.All"` argument isn't added to the `Connect-MgGraph` command. + > - The **Permissions requested** window isn't accepted. + > - The **Consent on behalf of your organization** checkbox isn't selected in the **Permissions requested** window. + > + > ```powershell + > New-MgServicePrincipal : Insufficient privileges to complete the operation. + > Status: 403 (Forbidden) + > ErrorCode: Authorization_RequestDenied + > ```