How to troubleshoot 'Application is not authorized to perform this operation.'
Microsoft is progressively enforcing new Microsoft Graph application permissions for Intune Device Management Scripts. As the rollout proceeds tenant-by-tenant, calls to Intune Shell Scripts endpoints now require DeviceManagementScripts.Read.All (read) or DeviceManagementScripts.ReadWrite.All (read/write).
As a result, when running an Intune change collection job, the operation fails with an authorization error indicating missing DeviceManagementScripts application permissions in Microsoft Graph.
Symptoms
- Intune collection job fails immediately when collecting Changes for Device Management Scripts.
- Error references missing
DeviceManagementScripts.Read.AllorDeviceManagementScripts.ReadWrite.Allscopes. - Issue is reproducible regardless of Cayosoft Guardian version once the Microsoft change is in effect.
Root cause
Microsoft introduced a change that now requires applications to hold one of the following Microsoft Graph application permissions to access Intune device management scripts:
| Permission | Type | Purpose |
|---|---|---|
DeviceManagementScripts.Read.All |
Application | Read Intune device management scripts across the tenant. |
DeviceManagementScripts.ReadWrite.All |
Application | Read and write Intune device management scripts across the tenant. |
NOTE: These are application permissions (app roles) for Microsoft Graph, not delegated permissions. Admin consent is required.
Resolution
If you don’t need Intune actions right now, temporarily turn Intune actions off to suppress the error until you’re ready to update.
If the error is not blocking your operations, you may disable Intune actions and wait for the hotfix to be deployed.
If Intune collection is critical, apply the permission workaround immediately (grant the scopes) and then install the hotfix when available.
To grant the proper permissions, perform the following steps:
Save a copy of C:\Program Files\Cayo Software\Guardian\appsettings.json.Open C:\Program Files\Cayo Software\Guardian\appsettings.json in any editor.Find the string "DeviceManagementConfiguration.ReadWrite.All" under the section called "RequiredScopePermissions".Insert the following line after it:
DeviceManagementScripts.Read.All,
Perform the same in the section called "ApplicationPermissions".
Restart the Cayosoft Guardian service.
After permissions are added , the Intune collection job completes successfully without the authorization error.
Comments
0 comments
Please sign in to leave a comment.