Access denied error when attempting to update device ownership

[robertfshort]

Describe the bug

I am trying to programatically update the device ownership from personal to corporate for some misidentified machines. To replicate the error, I am presently a global admin and running the following:

Connect-MgGraph -scope Directory.AccessAsUser.All -nowelcome

$comp=get-mgdevice -search "displayname:<target>" -ConsistencyLevel eventual
update-mgdevice -deviceid $comp.id -Devicecategory 'Corporate Owned Computer'
update-mgdevice -deviceid $comp.id -deviceownership 'company'

The line to update the device category works as expected. The line to update deviceownership fails with the following error:

Update-MgDevice_UpdateExpanded: 
Line |
   2 |          update-mgdevice -deviceid $comp.id -deviceownership 'company'
     |          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Insufficient privileges to complete the operation.

Status: 403 (Forbidden)
ErrorCode: Authorization_RequestDenied
Date: 2025-01-17T20:22:59

Headers:
Cache-Control                 : no-cache
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : b7d65e67-08c3-44c9-9785-3a0f9446f666
client-request-id             : 38573192-495d-455b-83a1-1e408652d411
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"Canada Central","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"TO1PEPF00004DF3"}}
x-ms-resource-unit            : 1
Date                          : Fri, 17 Jan 2025 20:22:58 GMT

Expected behavior

updating both the device category and the device ownership should work.

How to reproduce

I am trying to programatically update the device ownership from personal to corporate for some misidentified machines. To replicate the error, I am presently a global admin and running the following:

Connect-MgGraph -scope Directory.AccessAsUser.All -nowelcome

$comp=get-mgdevice -search "displayname:<target>" -ConsistencyLevel eventual
update-mgdevice -deviceid $comp.id -Devicecategory 'Corporate Owned Computer'
update-mgdevice -deviceid $comp.id -deviceownership 'company'

The line to update the device category works as expected. The line to update deviceownership fails with the following error:

Update-MgDevice_UpdateExpanded: 
Line |
   2 |          update-mgdevice -deviceid $comp.id -deviceownership 'company'
     |          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Insufficient privileges to complete the operation.

Status: 403 (Forbidden)
ErrorCode: Authorization_RequestDenied
Date: 2025-01-17T20:22:59

Headers:
Cache-Control                 : no-cache
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : b7d65e67-08c3-44c9-9785-3a0f9446f666
client-request-id             : 38573192-495d-455b-83a1-1e408652d411
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"Canada Central","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"TO1PEPF00004DF3"}}
x-ms-resource-unit            : 1
Date                          : Fri, 17 Jan 2025 20:22:58 GMT

SDK Version

2.25.0

Latest version known to work for scenario above?

No response

Known Workarounds

No response

Debug output

Click to expand log

``` DEBUG: [CmdletBeginProcessing]: - Update-MgDevice begin processing with parameterSet 'UpdateExpanded'. DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'. DEBUG: [Authentication]: - Scopes: [Application.ReadWrite.All, AttackSimulation.Read.All, AttackSimulation.ReadWrite.All, ChannelMessage.Send, Chat.Create, Chat.ReadWrite, Device.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, Directory.AccessAsUser.All, Directory.ReadWrite.All, Group.ReadWrite.All, GroupMember.ReadWrite.All, openid, profile, User.Read, User.Read.All, User.ReadWrite.All, email].

Confirm
Are you sure you want to perform this action?
Performing the operation "Update-MgDevice_UpdateExpanded" on target "Call remote 'PATCH /devices/{device-id}' operation".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): a
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
PATCH

Absolute Uri:
https://graph.microsoft.com/v1.0/devices/03ef0d01-06eb-4989-929c-a4f535bdcf68

Headers:
FeatureFlag : 00000043
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.26100; en-US),PowerShell/2024.4.0
Accept-Encoding : gzip
SdkVersion : graph-powershell/2.25.0
client-request-id : aea8c34d-e482-4746-ab6a-dc3d9bb6a234

Body:
{
"deviceOwnership": "company"
}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Forbidden

Headers:
Cache-Control : no-cache
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : ea1a3f55-d471-4319-b98b-2026df312631
client-request-id : aea8c34d-e482-4746-ab6a-dc3d9bb6a234
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Canada Central","Slice":"E","Ring":"3","ScaleUnit":"001","RoleInstance":"YT1PEPF00001ABB"}}
x-ms-resource-unit : 1
Date : Fri, 17 Jan 2025 20:30:34 GMT

Body:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2025-01-17T20:30:35",
"request-id": "ea1a3f55-d471-4319-b98b-2026df312631",
"client-request-id": "aea8c34d-e482-4746-ab6a-dc3d9bb6a234"
}
}
}

Update-MgDevice_UpdateExpanded: Insufficient privileges to complete the operation.

Status: 403 (Forbidden)
ErrorCode: Authorization_RequestDenied
Date: 2025-01-17T20:30:35

Headers:
Cache-Control : no-cache
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : ea1a3f55-d471-4319-b98b-2026df312631
client-request-id : aea8c34d-e482-4746-ab6a-dc3d9bb6a234
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Canada Central","Slice":"E","Ring":"3","ScaleUnit":"001","RoleInstance":"YT1PEPF00001ABB"}}
x-ms-resource-unit : 1
Date : Fri, 17 Jan 2025 20:30:34 GMT

DEBUG: [CmdletEndProcessing]: - Update-MgDevice end processing.

</details>


### Configuration

Name                           Value
----                           -----
PSVersion                      7.4.6
PSEdition                      Core
GitCommitId                    7.4.6
OS                             Microsoft Windows 10.0.26100
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

### Other information

I have tried this on different machines just to be sure it was not an issue with the computer configuration. There seems to be prior instances of this bug where users stated that they were getting the same error, but none described the error only occurring when only updating this particular field.

[robertfshort]

correction, update-mgdevice -deviceid $comp.id -Devicecategory 'Corporate Owned Computer' puts the text into the field which is retrievable through get-mgdevice, but it doesn't actually put the device category object in the way update-mgdevicemanagementmanageddevice -ManagedDeviceId $comp.id -DeviceCategory $category alleges it can (which also doesn't appear to work).

[timayabi2020]

Hi @robertfshort apologies for the late reply on this issue. I have reproduced the issue using both graph explorer and Microsoft Graph PowerShell SDK and this appears to be a service issue and not an SDK issue. For API related issues/questions we are not best placed to give an answer. Kindly raise an issue here https://developer.microsoft.com/en-us/graph/support so that the API owner can respond to it.