Cannot add or remove Registered Device Owner despite global admin and Device.ReadWrite.All #3327
Description
Describe the bug
I am trying to add and remove device owners using New-MgDeviceRegisteredOwnerByRef and Remove-MgDeviceRegisteredOwnerDirectoryObjectByRef. But I am getting "Insufficient privileges to complete the operation."
This is despite confirming that I am Global Administrator and have the Device.ReadWrite.All and Directory.ReadWrite.All scopes.
(I can read the device owner fine.)
Expected behavior
I expect the owner of the device to actually change.
Secondly, I want the error message to point to what permission is needed so I can activate that.
How to reproduce
$ownermg = Get-MgUser -UserId "[email protected]"
$devicemg = Get-MgDevice -Filter "displayName eq 'win11'"
(Get-MgUser -UserId (Get-MgDeviceRegisteredOwner -DeviceId $devicemg.id).id) | Select-Object DisplayName, UserPrincipalName
New-MgDeviceRegisteredOwnerByRef -DeviceId $devicemg.id -BodyParameter @{ "@odata.id" = "https://graph.microsoft.com/v1.0/users/$($ownermg.id)" } -Debug
{error insufficient privileges}
Remove-MgDeviceRegisteredOwnerDirectoryObjectByRef -DeviceId $devicemg.id -DirectoryObjectId $ownermg.id -Debug
{error insufficient privileges}
SDK Version
2.25.0 and 2.28.0
Latest version known to work for scenario above?
n/a
Known Workarounds
none
Debug output
Click to expand log for "add/new"
DEBUG: [CmdletBeginProcessing]: - New-MgDeviceRegisteredOwnerByRef begin processing with parameterSet 'Create'.
DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'.
DEBUG: [Authentication]: - Scopes: [AdministrativeUnit.Read.All, AdministrativeUnit.ReadWrite.All, Device.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All, Group.Read.All, Group.ReadWrite.All, IdentityRiskEvent.Read.All, IdentityRiskyUser.ReadWrite.All, openid, Policy.Read.All, PrivilegedAccess.ReadWrite.AzureADGroup, PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup, profile, RoleAssignmentSchedule.ReadWrite.Directory, RoleEligibilitySchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory, RoleManagementPolicy.Read.AzureADGroup, RoleManagementPolicy.ReadWrite.AzureADGroup, Team.ReadBasic.All, TeamMember.Read.All, User.Read, User.Read.All, User.ReadWrite.All, email].
Confirm
Are you sure you want to perform this action?
Performing the operation "New-MgDeviceRegisteredOwnerByRef_Create" on target "Call remote 'POST /devices/{device-id}/registeredOwners/$ref' operation".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
POST
Absolute Uri:
https://graph.microsoft.com/v1.0/devices/{guid}/registeredOwners/$ref
Headers:
FeatureFlag : 00000003
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.22631; en-US),PowerShell/2025.0.0
SdkVersion : graph-powershell/2.28.0
client-request-id : {guid}
Accept-Encoding : gzip,deflate,br
Body:
{
"@odata.id": "https://graph.microsoft.com/v1.0/users/{guid}"
}
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Forbidden
Headers:
Cache-Control : no-cache
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : {guid}
client-request-id : {guid}
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"US","Slice":"E","Ring":"4","ScaleUnit":"002","RoleInstance":"CH01"}}
x-ms-resource-unit : 1
Date : Wed, 21 May 2025 16:58:02 GMT
Body:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2025-05-21T16:58:02",
"request-id": "{guid}",
"client-request-id": "{guid}"
}
}
}
New-MgDeviceRegisteredOwnerByRef_Create: Insufficient privileges to complete the operation.
Status: 403 (Forbidden)
ErrorCode: Authorization_RequestDenied
Date: 2025-05-21T16:58:02
Headers:
Cache-Control : no-cache
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : {guid}
client-request-id : {guid}
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"US","Slice":"E","Ring":"4","ScaleUnit":"002","RoleInstance":"CH01"}}
x-ms-resource-unit : 1
Date : Wed, 21 May 2025 16:58:02 GMT
Recommendation: See service error codes: https://learn.microsoft.com/graph/errors
DEBUG: [CmdletEndProcessing]: - New-MgDeviceRegisteredOwnerByRef end processing.
Click to expand log for "remove"
DEBUG: [CmdletBeginProcessing]: - Remove-MgDeviceRegisteredOwnerDirectoryObjectByRef begin processing with parameterSet 'Delete'.
DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'.
DEBUG: [Authentication]: - Scopes: [AdministrativeUnit.Read.All, AdministrativeUnit.ReadWrite.All, Device.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All, Group.Read.All, Group.ReadWrite.All, IdentityRiskEvent.Read.All, IdentityRiskyUser.ReadWrite.All, openid, Policy.Read.All, PrivilegedAccess.ReadWrite.AzureADGroup, PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup, profile, RoleAssignmentSchedule.ReadWrite.Directory, RoleEligibilitySchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory, RoleManagementPolicy.Read.AzureADGroup, RoleManagementPolicy.ReadWrite.AzureADGroup, Team.ReadBasic.All, TeamMember.Read.All, User.Read, User.Read.All, User.ReadWrite.All, email].
Confirm
Are you sure you want to perform this action?
Performing the operation "Remove-MgDeviceRegisteredOwnerDirectoryObjectByRef_Delete" on target "Call remote 'DELETE /devices/{device-id}/registeredOwners/{directoryObject-id}/$ref' operation".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
DELETE
Absolute Uri:
https://graph.microsoft.com/v1.0/devices/{guid}/registeredOwners/{guid}/$ref
Headers:
FeatureFlag : 00000003
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.22631; en-US),PowerShell/2025.0.0
SdkVersion : graph-powershell/2.28.0
client-request-id : {guid}
Accept-Encoding : gzip,deflate,br
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Forbidden
Headers:
Cache-Control : no-cache
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : {guid}
client-request-id : {guid}
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"US","Slice":"E","Ring":"4","ScaleUnit":"002","RoleInstance":"CH01"}}
x-ms-resource-unit : 1
Date : Wed, 21 May 2025 16:58:09 GMT
Body:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2025-05-21T16:58:10",
"request-id": "{guid}",
"client-request-id": "{guid}"
}
}
}
Remove-MgDeviceRegisteredOwnerDirectoryObjectByRef_Delete: Insufficient privileges to complete the operation.
Status: 403 (Forbidden)
ErrorCode: Authorization_RequestDenied
Date: 2025-05-21T16:58:10
Headers:
Cache-Control : no-cache
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : {guid}
client-request-id : {guid}
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"US","Slice":"E","Ring":"4","ScaleUnit":"002","RoleInstance":"CH01"}}
x-ms-resource-unit : 1
Date : Wed, 21 May 2025 16:58:09 GMT
Recommendation: See service error codes: https://learn.microsoft.com/graph/errors
DEBUG: [CmdletEndProcessing]: - Remove-MgDeviceRegisteredOwnerDirectoryObjectByRef end processing.
Configuration
- OS: Windows 11 x64
- no docker
- PSVersion 7.5.1
- PSEdition Core
- GitCommitId 7.5.1
- OS Microsoft Windows 10.0.22631
- Platform Win32NT
- PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
- PSRemotingProtocolVersion 2.3
- SerializationVersion 1.1.0.1
- WSManStackVersion 3.0
Other information
No response