<h2>Microsoft Intune Spoke - Role and Permissions - Fixing "Invalid user name and password 401" error</h2><br/><div style="overflow-x:auto"><div><h3>Description</h3><ul><li>The <strong>Intune Spoke</strong> requires permissions to be properly set in <em><strong>Azure.</strong></em></li><li>In case of an incorrect or incomplete configuration defined in <strong><em>Azure</em></strong> the instance can still be able to retrieve the Access Token from the Azure token provider endpoint, but will fail when executing the Flow/Actions.</li><li>An example of the error that can be observed with the Get Managed Device Action:</li></ul> <pre>Method failed: (/v1.0/deviceManagement/managedDevices/{managedDeviceId}) with code: 401 - Invalid username/password combo</pre> <ul><li>The corresponding REST Response will show a message containing the following error:</li></ul> <pre>An error has occurred - Operation ID (for customer support)</pre></div><div><h3>Release or Environment</h3><ul><li>It was observed in <strong>Quebec</strong>.</li></ul></div><div><h3>Cause</h3><ul><li>This indicates a missing <strong>role</strong> in the <em>Azure AD account</em> for which the <em>Access Token</em> is generated. </li><li>In fact, as per the <em>Microsoft</em> documentation <a title="Intune permission scopes" href="https://docs.microsoft.com/en-us/mem/intune/developer/intune-graph-apis#intune-permission-scopes" target="_blank" rel="noopener noreferrer">Intune permission scopes</a> states:</li></ul> <pre>At this time, all Intune permission scopes require administrator access. This means you need corresponding credentials when running apps or scripts that access Intune API resources.</pre></div><div><h3>Resolution</h3><ul><li>The Azure AD account which will request the token must have the following<strong> roles</strong> assigned:<br /> <ul><li><strong>Read only Operator</strong> is the minimum role that can be given to <em>look up</em> or <em>get</em> actions</li><li><strong>Global Admin or Intune Admin</strong> (along with <strong>readwrite.all</strong> permissions) are required if <em>Update Managed Device</em> and <em>Delete Managed Device</em> will be used.</li></ul> </li><li>In the instance the <em>Microsoft Intune as an OAuth provider</em> record must be configured with Grant Type <strong>Authorization Code</strong>.</li><li>In this <a title="KB0995339" href="https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0995339" target="_blank" rel="noopener noreferrer">KB0995339</a> you can find the details of all the permissions required for each of the Intune Spoke Actions. As you can see in the KB permissions can be of type <em>Delegated</em> or <em>Application</em>, depending on the use case.</li><li>In addition to above permissions, basic <em>Microsoft Graph</em> permissions are also required:<br /> <ol><li><em>email</em> - View users' email address</li><li><em>offline_access</em> - Maintain access to data you have given it access to</li><li><em>openid</em> - Sign users in</li><li><em>profile</em> - View users' basic profile</li><li><em>User.Read</em> - Sign in and read user profile</li></ol> </li></ul></div><div><h3>Additional Information</h3><ul><li>Microsoft documentation <a title="Intune Permission Scopes" href="https://docs.microsoft.com/en-us/mem/intune/developer/intune-graph-apis#intune-permission-scopes" target="_blank" rel="noopener noreferrer">Intune Permission Scopes.</a></li><li>ServiceNow documentation <a title="Setup Intune Spoke" href="https://docs.servicenow.com/bundle/quebec-servicenow-platform/page/administer/integrationhub-store-spokes/task/setup-ms-intune.html" target="_blank" rel="noopener noreferrer">Setup Intune Spoke</a></li></ul></div></div>