From 4fac1335ae81aee6dfa91736aef40c1fc17a4e72 Mon Sep 17 00:00:00 2001 From: Andrew Taylor <59832110+andrew-s-taylor@users.noreply.github.com> Date: Thu, 7 Nov 2024 10:11:42 +0000 Subject: [PATCH 01/10] Update create-assigned-device-group.md Changed from Deprecated AzureAD module to MgGraph --- autopilot/includes/create-assigned-device-group.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/autopilot/includes/create-assigned-device-group.md b/autopilot/includes/create-assigned-device-group.md index 2b4edc32041..91e76c2cf0b 100644 --- a/autopilot/includes/create-assigned-device-group.md +++ b/autopilot/includes/create-assigned-device-group.md @@ -64,7 +64,7 @@ If the **Intune Provisioning Client** service principal with AppId **f1346770-5b 1. Install the **azuread** module by entering the following command: ```powershell - Install-Module azuread + Install-Module microsoft.graph.applications ``` If prompted to do so, agree to install **NuGet** and the **azuread** module from the **PSGallery**. @@ -72,7 +72,7 @@ If the **Intune Provisioning Client** service principal with AppId **f1346770-5b 1. Once the **azuread** module is installed, connect to Microsoft Entra ID by entering the following command: ```powershell - Connect-AzureAD + Connect-MgGraph ``` 1. If not already authenticated to Microsoft Entra ID, the **Sign in to your account** window appears. Enter the credentials of a Microsoft Entra ID administrator that has permissions to add service principals. @@ -80,5 +80,5 @@ If the **Intune Provisioning Client** service principal with AppId **f1346770-5b 1. Once authenticated to Microsoft Entra ID, add the **Intune Provisioning Client** service principal by entering the following command: ```powershell - New-AzureADServicePrincipal -AppId f1346770-5b25-470b-88bd-d5744ab7952c + New-MgServicePrincipal -BodyParameter f1346770-5b25-470b-88bd-d5744ab7952c ``` From bef3774b366ccb5e47da5360c66c7b9167d34025 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Mon, 18 Nov 2024 14:30:46 -0500 Subject: [PATCH 02/10] Add missing Microsoft.Graph.Authentication step Add missing Microsoft.Graph.Authentication step plus adding more details --- .../includes/create-assigned-device-group.md | 22 ++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/autopilot/includes/create-assigned-device-group.md b/autopilot/includes/create-assigned-device-group.md index 91e76c2cf0b..7291390d140 100644 --- a/autopilot/includes/create-assigned-device-group.md +++ b/autopilot/includes/create-assigned-device-group.md @@ -5,7 +5,7 @@ manager: aaroncz ms.subservice: autopilot ms.service: windows-client ms.topic: include -ms.date: 06/27/2024 +ms.date: 11/18/2024 ms.localizationpriority: medium --- @@ -61,20 +61,30 @@ If the **Intune Provisioning Client** service principal with AppId **f1346770-5b 1. In the **Windows PowerShell** command prompt window: - 1. Install the **azuread** module by entering the following command: + 1. Install the **Microsoft.Graph.Authentication** module by entering the following command: ```powershell - Install-Module microsoft.graph.applications + Install-Module Microsoft.Graph.Authentication ``` - If prompted to do so, agree to install **NuGet** and the **azuread** module from the **PSGallery**. + If prompted to do so, select **Yes** to agree to install from the **PSGallery** untrusted repository. For more information, see [Microsoft.Graph.Authentication](/powershell/module/microsoft.graph.authentication/) and [Set-PSRepository -InstallationPolicy](/powershell/module/powershellget/set-psrepository#-installationpolicy). + + 1. Install the **Microsoft.Graph.Applications** module by entering the following command: - 1. Once the **azuread** module is installed, connect to Microsoft Entra ID by entering the following command: + ```powershell + Install-Module Microsoft.Graph.Applications + ``` + + If prompted to do so, select **Yes** to agree to install from the **PSGallery** untrusted repository. For more information, see [Microsoft.Graph.Applications](/powershell/module/microsoft.graph.applications/) and [Set-PSRepository -InstallationPolicy](/powershell/module/powershellget/set-psrepository#-installationpolicy). + + 1. Once the **Microsoft.Graph.Authentication** and **Microsoft.Graph.Applications** modules are installed, connect to Microsoft Entra ID by entering the following command: ```powershell Connect-MgGraph ``` + For more information, see [Connect-MgGraph](/powershell/module/microsoft.graph.authentication/connect-mggraph). + 1. If not already authenticated to Microsoft Entra ID, the **Sign in to your account** window appears. Enter the credentials of a Microsoft Entra ID administrator that has permissions to add service principals. 1. Once authenticated to Microsoft Entra ID, add the **Intune Provisioning Client** service principal by entering the following command: @@ -82,3 +92,5 @@ If the **Intune Provisioning Client** service principal with AppId **f1346770-5b ```powershell New-MgServicePrincipal -BodyParameter f1346770-5b25-470b-88bd-d5744ab7952c ``` + + For more information, see [New-MgServicePrincipal](/powershell/module/microsoft.graph.applications/new-mgserviceprincipal). From 2aca73f199016d98aa2855e18be9ca389e49d3c8 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Mon, 18 Nov 2024 14:33:38 -0500 Subject: [PATCH 03/10] Update New-MgServicePrincipal link Update New-MgServicePrincipal link --- autopilot/includes/create-assigned-device-group.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/autopilot/includes/create-assigned-device-group.md b/autopilot/includes/create-assigned-device-group.md index 7291390d140..2582b155f6c 100644 --- a/autopilot/includes/create-assigned-device-group.md +++ b/autopilot/includes/create-assigned-device-group.md @@ -93,4 +93,4 @@ If the **Intune Provisioning Client** service principal with AppId **f1346770-5b New-MgServicePrincipal -BodyParameter f1346770-5b25-470b-88bd-d5744ab7952c ``` - For more information, see [New-MgServicePrincipal](/powershell/module/microsoft.graph.applications/new-mgserviceprincipal). + For more information, see [New-MgServicePrincipal -BodyParameter](/powershell/module/microsoft.graph.applications/new-mgserviceprincipal#-bodyparameter). From 272e9db507425fd87314e15781e81b7ff7f3b069 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 19 Nov 2024 12:06:16 -0500 Subject: [PATCH 04/10] Add permissions requested window Add instructions if permissions requested window appears. --- autopilot/includes/create-assigned-device-group.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/autopilot/includes/create-assigned-device-group.md b/autopilot/includes/create-assigned-device-group.md index 2582b155f6c..39567c33aec 100644 --- a/autopilot/includes/create-assigned-device-group.md +++ b/autopilot/includes/create-assigned-device-group.md @@ -5,7 +5,7 @@ manager: aaroncz ms.subservice: autopilot ms.service: windows-client ms.topic: include -ms.date: 11/18/2024 +ms.date: 11/19/2024 ms.localizationpriority: medium --- @@ -87,10 +87,12 @@ If the **Intune Provisioning Client** service principal with AppId **f1346770-5b 1. If not already authenticated to Microsoft Entra ID, the **Sign in to your account** window appears. Enter the credentials of a Microsoft Entra ID administrator that has permissions to add service principals. - 1. Once authenticated to Microsoft Entra ID, add the **Intune Provisioning Client** service principal by entering the following command: + 1. If the **Permissions requested** window appears, select the **Consent on behalf of your organization** checkbox, and then select the **Accept** button. + + 1. Once authenticated to Microsoft Entra ID and proper permissions are granted, add the **Intune Provisioning Client** service principal by entering the following command: ```powershell - New-MgServicePrincipal -BodyParameter f1346770-5b25-470b-88bd-d5744ab7952c + New-MgServicePrincipal -AppID f1346770-5b25-470b-88bd-d5744ab7952c ``` For more information, see [New-MgServicePrincipal -BodyParameter](/powershell/module/microsoft.graph.applications/new-mgserviceprincipal#-bodyparameter). From 34cc721cc7c19adf74741cc1a2a86033364ac565 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 19 Nov 2024 13:47:03 -0500 Subject: [PATCH 05/10] Add error message Add error message that can occur if service principal is already added --- autopilot/includes/create-assigned-device-group.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/autopilot/includes/create-assigned-device-group.md b/autopilot/includes/create-assigned-device-group.md index 39567c33aec..0b53008b350 100644 --- a/autopilot/includes/create-assigned-device-group.md +++ b/autopilot/includes/create-assigned-device-group.md @@ -96,3 +96,14 @@ If the **Intune Provisioning Client** service principal with AppId **f1346770-5b ``` For more information, see [New-MgServicePrincipal -BodyParameter](/powershell/module/microsoft.graph.applications/new-mgserviceprincipal#-bodyparameter). + + > [!NOTE] + > + > If the following message is displayed after running the `New-MgServicePrincipal -AppID f1346770-5b25-470b-88bd-d5744ab7952c` command, it means that the **Intune Provisioning Client service principal** has already been added: + + > ```powershell + > New-MgServicePrincipal : The service principal cannot be created, updated, or restored because the service principal name + > f1346770-5b25-470b-88bd-d5744ab7952c is already in use. + > Status: 409 (Conflict) + > ErrorCode: Request_MultipleObjectsWithSameKeyValue + > ``` From b6a46ba72664b250febdc3e75010f5e903721b7e Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 19 Nov 2024 14:42:52 -0500 Subject: [PATCH 06/10] Adding additional error message Adding additional error message plus fixing formatting --- .../includes/create-assigned-device-group.md | 71 ++++++++++++------- 1 file changed, 44 insertions(+), 27 deletions(-) diff --git a/autopilot/includes/create-assigned-device-group.md b/autopilot/includes/create-assigned-device-group.md index 0b53008b350..e762e1cf17b 100644 --- a/autopilot/includes/create-assigned-device-group.md +++ b/autopilot/includes/create-assigned-device-group.md @@ -61,35 +61,39 @@ If the **Intune Provisioning Client** service principal with AppId **f1346770-5b 1. In the **Windows PowerShell** command prompt window: - 1. Install the **Microsoft.Graph.Authentication** module by entering the following command: + 1. Install the **Microsoft.Graph.Authentication** module by entering the following command: - ```powershell - Install-Module Microsoft.Graph.Authentication - ``` + ```powershell + Install-Module Microsoft.Graph.Authentication + ``` + + If prompted to do so, select **Yes** to agree to install from the **PSGallery** untrusted repository. - If prompted to do so, select **Yes** to agree to install from the **PSGallery** untrusted repository. For more information, see [Microsoft.Graph.Authentication](/powershell/module/microsoft.graph.authentication/) and [Set-PSRepository -InstallationPolicy](/powershell/module/powershellget/set-psrepository#-installationpolicy). + For more information, see [Microsoft.Graph.Authentication](/powershell/module/microsoft.graph.authentication/) and [Set-PSRepository -InstallationPolicy](/powershell/module/powershellget/set-psrepository#-installationpolicy). 1. Install the **Microsoft.Graph.Applications** module by entering the following command: - ```powershell - Install-Module Microsoft.Graph.Applications - ``` + ```powershell + Install-Module Microsoft.Graph.Applications + ``` - If prompted to do so, select **Yes** to agree to install from the **PSGallery** untrusted repository. For more information, see [Microsoft.Graph.Applications](/powershell/module/microsoft.graph.applications/) and [Set-PSRepository -InstallationPolicy](/powershell/module/powershellget/set-psrepository#-installationpolicy). + If prompted to do so, select **Yes** to agree to install from the **PSGallery** untrusted repository. - 1. Once the **Microsoft.Graph.Authentication** and **Microsoft.Graph.Applications** modules are installed, connect to Microsoft Entra ID by entering the following command: + For more information, see [Microsoft.Graph.Applications](/powershell/module/microsoft.graph.applications/) and [Set-PSRepository -InstallationPolicy](/powershell/module/powershellget/set-psrepository#-installationpolicy). - ```powershell - Connect-MgGraph - ``` + 1. Once the **Microsoft.Graph.Authentication** and **Microsoft.Graph.Applications** modules are installed, connect to Microsoft Entra ID by entering the following command: - For more information, see [Connect-MgGraph](/powershell/module/microsoft.graph.authentication/connect-mggraph). + ```powershell + Connect-MgGraph -Scopes "Application.ReadWrite.All" + ``` - 1. If not already authenticated to Microsoft Entra ID, the **Sign in to your account** window appears. Enter the credentials of a Microsoft Entra ID administrator that has permissions to add service principals. + For more information, see [Connect-MgGraph](/powershell/module/microsoft.graph.authentication/connect-mggraph). - 1. If the **Permissions requested** window appears, select the **Consent on behalf of your organization** checkbox, and then select the **Accept** button. + 1. If not already authenticated to Microsoft Entra ID, the **Sign in to your account** window appears. Enter the credentials of a Microsoft Entra ID administrator that has permissions to add service principals. - 1. Once authenticated to Microsoft Entra ID and proper permissions are granted, add the **Intune Provisioning Client** service principal by entering the following command: + 1. If the **Permissions requested** window appears, select the **Consent on behalf of your organization** checkbox, and then select the **Accept** button. + + 1. Once authenticated to Microsoft Entra ID and proper permissions are granted, add the **Intune Provisioning Client** service principal by entering the following command: ```powershell New-MgServicePrincipal -AppID f1346770-5b25-470b-88bd-d5744ab7952c @@ -97,13 +101,26 @@ If the **Intune Provisioning Client** service principal with AppId **f1346770-5b For more information, see [New-MgServicePrincipal -BodyParameter](/powershell/module/microsoft.graph.applications/new-mgserviceprincipal#-bodyparameter). - > [!NOTE] - > - > If the following message is displayed after running the `New-MgServicePrincipal -AppID f1346770-5b25-470b-88bd-d5744ab7952c` command, it means that the **Intune Provisioning Client service principal** has already been added: - - > ```powershell - > New-MgServicePrincipal : The service principal cannot be created, updated, or restored because the service principal name - > f1346770-5b25-470b-88bd-d5744ab7952c is already in use. - > Status: 409 (Conflict) - > ErrorCode: Request_MultipleObjectsWithSameKeyValue - > ``` + > [!NOTE] + > + > - The following error message is displayed if the **Intune Provisioning Client service principal** already exists in the tenant: + > + > ```powershell + > New-MgServicePrincipal : The service principal cannot be created, updated, or restored because the service principal name + > f1346770-5b25-470b-88bd-d5744ab7952c is already in use. + > Status: 409 (Conflict) + > ErrorCode: Request_MultipleObjectsWithSameKeyValue + > ``` + > + > - The following error message is displayed if one of the following conditions is true: + > + > - The account used to sign with the `Connect-MgGraph` command doesn't have permissions to add a service principal to the tenant. + > - The `-Scopes "Application.ReadWrite.All"` argument isn't added to the `Connect-MgGraph` command. + > - The **Permissions requested** window isn't accepted. + > - The **Consent on behalf of your organization** checkbox isn't selected in the **Permissions requested** window. + > + > ```powershell + > New-MgServicePrincipal : Insufficient privileges to complete the operation. + > Status: 403 (Forbidden) + > ErrorCode: Authorization_RequestDenied + > ``` From ac5d6282887814044c38c0b354d113d83123be6f Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 19 Nov 2024 14:45:13 -0500 Subject: [PATCH 07/10] Formatting fixes Formatting fixes --- .../includes/create-assigned-device-group.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/autopilot/includes/create-assigned-device-group.md b/autopilot/includes/create-assigned-device-group.md index e762e1cf17b..7548567c014 100644 --- a/autopilot/includes/create-assigned-device-group.md +++ b/autopilot/includes/create-assigned-device-group.md @@ -70,7 +70,7 @@ If the **Intune Provisioning Client** service principal with AppId **f1346770-5b If prompted to do so, select **Yes** to agree to install from the **PSGallery** untrusted repository. For more information, see [Microsoft.Graph.Authentication](/powershell/module/microsoft.graph.authentication/) and [Set-PSRepository -InstallationPolicy](/powershell/module/powershellget/set-psrepository#-installationpolicy). - + 1. Install the **Microsoft.Graph.Applications** module by entering the following command: ```powershell @@ -113,13 +113,13 @@ If the **Intune Provisioning Client** service principal with AppId **f1346770-5b > ``` > > - The following error message is displayed if one of the following conditions is true: - > - > - The account used to sign with the `Connect-MgGraph` command doesn't have permissions to add a service principal to the tenant. - > - The `-Scopes "Application.ReadWrite.All"` argument isn't added to the `Connect-MgGraph` command. - > - The **Permissions requested** window isn't accepted. - > - The **Consent on behalf of your organization** checkbox isn't selected in the **Permissions requested** window. - > - > ```powershell + > + > - The account used to sign with the `Connect-MgGraph` command doesn't have permissions to add a service principal to the tenant. + > - The `-Scopes "Application.ReadWrite.All"` argument isn't added to the `Connect-MgGraph` command. + > - The **Permissions requested** window isn't accepted. + > - The **Consent on behalf of your organization** checkbox isn't selected in the **Permissions requested** window. + > + > ```powershell > New-MgServicePrincipal : Insufficient privileges to complete the operation. > Status: 403 (Forbidden) > ErrorCode: Authorization_RequestDenied From 9ff8da52d40cfedd7367b5b80d6c0cebe97712db Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 19 Nov 2024 15:23:02 -0500 Subject: [PATCH 08/10] Grammer correction Grammer correction --- autopilot/includes/create-assigned-device-group.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/autopilot/includes/create-assigned-device-group.md b/autopilot/includes/create-assigned-device-group.md index 7548567c014..0aa4616c2c1 100644 --- a/autopilot/includes/create-assigned-device-group.md +++ b/autopilot/includes/create-assigned-device-group.md @@ -114,7 +114,7 @@ If the **Intune Provisioning Client** service principal with AppId **f1346770-5b > > - The following error message is displayed if one of the following conditions is true: > - > - The account used to sign with the `Connect-MgGraph` command doesn't have permissions to add a service principal to the tenant. + > - The account used to sign in with the `Connect-MgGraph` command doesn't have permissions to add a service principal to the tenant. > - The `-Scopes "Application.ReadWrite.All"` argument isn't added to the `Connect-MgGraph` command. > - The **Permissions requested** window isn't accepted. > - The **Consent on behalf of your organization** checkbox isn't selected in the **Permissions requested** window. From 08c9e5b0570e997a19e8e844c1e576ad4c171915 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 19 Nov 2024 17:15:06 -0500 Subject: [PATCH 09/10] Adding details Adding details to agree to install components --- autopilot/includes/create-assigned-device-group.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/autopilot/includes/create-assigned-device-group.md b/autopilot/includes/create-assigned-device-group.md index 0aa4616c2c1..4572a04bb88 100644 --- a/autopilot/includes/create-assigned-device-group.md +++ b/autopilot/includes/create-assigned-device-group.md @@ -57,7 +57,7 @@ Headings are driven by article context. --> If the **Intune Provisioning Client** service principal with AppId **f1346770-5b25-470b-88bd-d5744ab7952c** isn't available when selecting the owner of the device group, then follow these steps to add the service principal: -1. On a device where Microsoft Intune or Microsoft Entra ID is normally administered, open a **Windows PowerShell** command prompt. +1. On a device where Microsoft Intune or Microsoft Entra ID is normally administered, open an elevated **Windows PowerShell** command prompt. 1. In the **Windows PowerShell** command prompt window: @@ -67,7 +67,10 @@ If the **Intune Provisioning Client** service principal with AppId **f1346770-5b Install-Module Microsoft.Graph.Authentication ``` - If prompted to do so, select **Yes** to agree to install from the **PSGallery** untrusted repository. + If prompted to do so: + + - Agree to install **NuGet** by entering **Y** or **Yes**, or selecting the **Yes** button. + - Agree to install from the **PSGallery** untrusted repository by entering **Y** or **Yes**, or selecting the **Yes** button. For more information, see [Microsoft.Graph.Authentication](/powershell/module/microsoft.graph.authentication/) and [Set-PSRepository -InstallationPolicy](/powershell/module/powershellget/set-psrepository#-installationpolicy). @@ -77,7 +80,7 @@ If the **Intune Provisioning Client** service principal with AppId **f1346770-5b Install-Module Microsoft.Graph.Applications ``` - If prompted to do so, select **Yes** to agree to install from the **PSGallery** untrusted repository. + If prompted to do so, agree to install from the **PSGallery** untrusted repository by entering **Y** or **Yes**, or selecting the **Yes** button. For more information, see [Microsoft.Graph.Applications](/powershell/module/microsoft.graph.applications/) and [Set-PSRepository -InstallationPolicy](/powershell/module/powershellget/set-psrepository#-installationpolicy). From 2fe0e617f117580e7e69250fa0e60c2e0a4a8133 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 19 Nov 2024 17:16:22 -0500 Subject: [PATCH 10/10] Update create-assigned-device-group.md --- autopilot/includes/create-assigned-device-group.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/autopilot/includes/create-assigned-device-group.md b/autopilot/includes/create-assigned-device-group.md index 4572a04bb88..538e42512ea 100644 --- a/autopilot/includes/create-assigned-device-group.md +++ b/autopilot/includes/create-assigned-device-group.md @@ -5,7 +5,7 @@ manager: aaroncz ms.subservice: autopilot ms.service: windows-client ms.topic: include -ms.date: 11/19/2024 +ms.date: 11/20/2024 ms.localizationpriority: medium ---