Update-Mg(Beta)Device - Insufficient privileges to complete the operation #3390
Description
Describe the bug
I was tasked to rename a W365 enrollmentprofile. The new name is visible in Intune but in the Windows App the old name is still visible. I noticed the old profile name is still visible when retreiving the device using Get-MgDevice command so I wrote this script to change it:
$OldProfileName = 'CloudVM - Test Rename'
$NewProfileName = 'W365 - Test Renamed'
$W365Devices = Get-MgBetaDevice -Search "enrollmentProfileName:$OldProfileName" -ConsistencyLevel eventual
foreach ($Device in $W365Devices)
{
Update-MgBetaDevice -DeviceId $Device.Id -EnrollmentProfileName $NewProfileName
}
I'm authenticating to Graph using an Enterprise App that has Device.ReadWrite.All and Directory.ReadWrite.All permissions which should be enough according to the documentation. In spite of this I'm still getting the Insufficient privileges to complete the operation error. Even if I try the command as Global Admin I still get the error.
Expected behavior
Since the command has a specific parameter for the enrollmentprofilename I'd expect it to update the enrollmentprofilename property to the new profilename.
How to reproduce
- Get a deviceid of a single Entra device
- Use this Id in this command: Update-MgBetaDevice -DeviceId <DeviceId from step 1> -EnrollmentProfileName
- Check the error
SDK Version
2.28.0
Latest version known to work for scenario above?
No response
Known Workarounds
None
Debug output
Click to expand log
```DEBUG: [CmdletBeginProcessing]: - Update-MgBetaDevice begin processing with parameterSet 'UpdateExpanded'.
DEBUG: [Authentication]: - AuthType: 'AppOnly', TokenCredentialType: 'ClientSecret', ContextScope: 'Process', AppName: '-Redacted-'.
DEBUG: [Authentication]: - Scopes: [AppCatalog.Read.All, DeviceManagementManagedDevices.Read.All, Device.ReadWrite.All, Application.ReadWrite.All, Group.Read.All, WindowsUpdates.ReadWrite.All, Directory.ReadWrite.All, ServiceMessage.Read.All, Sites.Manage.All, User.Read.All, DeviceManagementConfiguration.Read.All, AppRoleAssignment.ReadWrite.All, Mail.Send, Application.Read.All, CloudPC.ReadWrite.All, DeviceManagementApps.Read.All].
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
PATCH
Absolute Uri:
https://graph.microsoft.com/beta/devices/-Redacted-
Headers:
FeatureFlag : 00000003
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.22631; nl-NL),PowerShell/5.1.22621.5697
SdkVersion : graph-powershell-beta/2.28.0
client-request-id : -Redacted-
Body:
{
"enrollmentProfileName": "W365 - Test Renamed"
}
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Forbidden
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : -Redacted-
client-request-id : -Redacted-
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"010","RoleInstance":"AM4PEPF000278F9"}}
x-ms-resource-unit : 1
Cache-Control : no-cache
Date : Tue, 26 Aug 2025 07:50:29 GMT
Body:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2025-08-26T07:50:30",
"request-id": "-Redacted-",
"client-request-id": "-Redacted-"
}
}
}
Update-MgBetaDevice : Insufficient privileges to complete the operation.
Status: 403 (Forbidden)
ErrorCode: Authorization_RequestDenied
Date: 2025-08-26T07:50:30
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : -Redacted-
client-request-id : -Redacted-
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"010","RoleInstance":"AM4PEPF000278F9"}}
x-ms-resource-unit : 1
Cache-Control : no-cache
Date : Tue, 26 Aug 2025 07:50:29 GMT
At line:1 char:5
-
Update-MgBetaDevice -DeviceId $Device.Id -EnrollmentProfileName $ ... -
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~- CategoryInfo : InvalidOperation: ({ DeviceId = 36...ftGraphDevice }:<>f__AnonymousType8`3) [Update-MgBetaDevice_UpdateExpanded], Exception
- FullyQualifiedErrorId : Authorization_RequestDenied,Microsoft.Graph.Beta.PowerShell.Cmdlets.UpdateMgBetaDevice_UpdateExpanded
DEBUG: [CmdletEndProcessing]: - Update-MgBetaDevice end processing.
</details>
### Configuration
<pre>
Name Value
---- -----
PSVersion 5.1.22621.5697
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.22621.5697
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
</pre>
- OS: Win11 24H2 x64
### Other information
_No response_