This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 68%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
I have an application which queries deviceManagement/managedDevices API to fetch all the devices. I have given all the right permission as mentioned in the documentation.
I am able to fetch access Token but when I used this access token to do a GET, I see following error
{"ErrorCode":"Forbidden","Message":"{\ "_version": 3,\ "Message": "An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: de9064e5-431f-8f9b-5xxx-759db26b3b71 - Url: https://fef.msua08.manage.microsoft.com/DeviceFE/StatelessDeviceFEService/deviceManagement/managedDevices?api-version=5024-02-13\",\ "CustomApiErrorPhrase": "",\ "RetryAfter": null,\ "ErrorSourceService": "",\ "HttpHeaders": "{\"WWW-Authenticate\":\"Bearer realm=\\\"urn:intune:service,c3998d6e-2e37-4c56-87b5-7b444ee1cb26,3e9c57b9-808d-4aa0-9500-4b2d369279e7\\\"\"}"}","Target":null,"Details":null,"InnerError":null,"InstanceAnnotations":[]}
I am able to successfully get a list of AD users but deviceManagement/managedDevices does not work. I tried with /v1.0 as well as /beta and both give same issue. Following is the permission
Not sure what the issue is here. How can I resolve this issue?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 96%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EX%3C/text%3E%3C/svg%3E)
@Supriya Kulkarni For this api, the following permission is enough:
For this issue, I have done the test. I use the following request to get all the devices. It works.
https://graph.microsoft.com/beta/deviceManagement/managedDevices
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Supriya Kulkarni, Thanks for posting in Q&A. From your description, I know the permission is granted. But it still gets 403 permission issue. Based on my testing, I find it is working in my lab when grant the following permission.
DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All
Please check if the sign in user is with Intune license assigned. Meanwhile, please recreate the registed application and grant the permission again to see if it can work.
However, if the issue still persists, please open Premier case to see if you can get help.
https://learn.microsoft.com/en-us/mem/get-support
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Right now we are trying this using a trial version, we are working on getting the E5 license. Do you think the issue might be because we are trying from a trial version? Other AD related API works fine.
@Supriya Kulkarni, Thanks for the reply. If the trial is not expired yet and the license is not expired yet, the trial can work. I think this is not the issue.
My issue was resolved. We realized that the trial had expired and since some other API's were working we never realized it had expired. After we got a licensed one, it worked fine.
@Supriya Kulkarni, Thanks for sharing solution. I am glad the issue is resolved. To help other who has the same issue, please let me write a summary for this.
Issue
I have an application which queries deviceManagement/managedDevices API to fetch all the devices. I have given all the right permission as mentioned in the documentation.
I am able to fetch access Token but when I used this access token to do a GET, I see following error
{"ErrorCode":"Forbidden","Message":"{\ "_version": 3,\ "Message": "An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: de9064e5-431f-8f9b-5xxx-759db26b3b71 - Url: [https://fef.msua08.manage.microsoft.com/DeviceFE/StatelessDeviceFEService/deviceManagement/managedDevices?api-version=5024-02-13",](https://fef.msua08.manage.microsoft.com/DeviceFE/StatelessDeviceFEService/deviceManagement/managedDevices?api-version=5024-02-13%5C%22,%5C) "CustomApiErrorPhrase": "",\ "RetryAfter": null,\ "ErrorSourceService": "",\ "HttpHeaders": "{"WWW-Authenticate":"Bearer realm=\"urn:intune:service,c3998d6e-2e37-4c56-87b5-7b444ee1cb26,3e9c57b9-808d-4aa0-9500-4b2d369279e7\""}"}","Target":null,"Details":null,"InnerError":null,"InstanceAnnotations":[]}
Resolution
Thanks for your time and have a nice day!
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.