Fixing "Invalid username/password" 401 error | Intune spoke - Support and Troubleshooting

Fixing "Invalid username/password" 401 error | Intune spoke Issue This article is intended to assist you in troubleshooting the 401 error you may receive from the Microsoft Intune spoke Get Managed Device action.

The Microsoft Intune Spoke requires permissions to be properly set in Azure . In case of an incorrect or incomplete configuration defined in Azure, the instance can still retrieve the Access Token from the Azure token provider endpoint, but will fail when executing the Flow/Actions.

An example of the error that can be observed with the Get Managed Device Action:

Method failed: (/v1.0/deviceManagement/managedDevices/{managedDeviceId}) with code: 401 - Invalid username/password combo

The corresponding REST Response will show a message containing the following error:

An error has occurred - Operation ID (for customer support)

Release It was observed in Quebec .

Cause This indicates a missing role in the Azure AD account for which the Access Token is generated. In fact, as per the Microsoft documentation Intune permission scopes states:

"At this time, all Intune permission scopes require administrator access. This means you need corresponding credentials when running apps or scripts that access Intune API resources."

Resolution The Azure AD account which will request the token must have the following roles assigned:

Read only Operator is the minimum role that can be given to look up or get actions Global Admin or Intune Admin (along with readwrite.all permissions) are required if Update Managed Device and Delete Managed Device will be used. In the instance, the Microsoft Intune as an OAuth provider record must be configured with Grant Type Authorization Code .

You can find the details of all the permissions required for each of the Intune Spoke Actions in KB0995339: Intune Spoke Actions Permission Table . Permissions can be of type Delegated or Application , depending on the use case.

In addition to above permissions, basic Microsoft Graph permissions are also required:

email - View users' email address offline_access - Maintain access to data you have given it access to openid - Sign users in profile - View users' basic profile User.Read - Sign in and read user profile Related Links Set up the Microsoft Intune spoke ServiceNow product documentation KB0995339: Intune Spoke Actions Permission Table Intune Permission Scopes Microsoft documentation