get app group assignment failed

Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members. Please post your questions in the correct category.

• Endpoint Manager
• Configuration Manager

SOLVED   Configuration Manager 2103 GetAppGroupAssignment failed with (0x87d00215).

• Thread starter sethm
• Start date May 6, 2021

• May 6, 2021

Hello, After updating to 2103 on April 30th it would seem our clients can no longer get all applications. In CcmExec.log the error I see is GetAppGroupAssignment failed with (0x87d00215). During the update with the prereq check I did add the checkbox in Communication Security to Use Configuration Manager-generated certificates for HTTP site systems. I found after that we could not PXE and removed the setting so my suspicion is that this is what started the issue but I'm not sure how to fix it. If anyone has any thoughts or advice I would greatly appreciate it.  

• May 10, 2021

Prajwal Desai said: Are the client agents updated to latest version on your computers ?. Click to expand...

Prajwal Desai

Forum owner.

• May 7, 2021

Are the client agents updated to latest version on your computers ?.  

• Thread Starter

OzerMutlusu

• Jun 25, 2021

Hello, We have same problem after updating to 2103. Applications are installed on the clients too long after they are deployed. In CcmExec.log the error; GetAppGroupAssignment failed with (0x87d00215). What is your suggestions about this issue? Thanks in advance  

• Oct 1, 2021

Hi there! Same here, after upgrading agent version 2103 to 2107 yesterday. OSD works fine, just a few applications won't work (i.e. O365 14228.20324). ccmexec.log shows up 0x87d00215  

deilsonoliveira

• Oct 7, 2021

OzerMutlusu said: Hello, We have same problem after updating to 2103. Applications are installed on the clients too long after they are deployed. In CcmExec.log the error; GetAppGroupAssignment failed with (0x87d00215). What is your suggestions about this issue? Thanks in advance Click to expand...

• Jul 7, 2023
• Jul 19, 2023

DavoPaul said: I have just encountered this issue, removing the supersedence rule resolved the issue for me. 2 years later Click to expand...

Latest posts

• Latest: dmanrez
• Yesterday at 11:09 PM
• Latest: Cola123
• Yesterday at 11:28 AM
• Latest: jackaustin
• Yesterday at 4:23 AM
• Latest: Harshit Pandey
• Wednesday at 10:50 PM
• Latest: Bob Hatcher
• Tuesday at 9:55 PM

Forum statistics

Follow along with the video below to see how to install our site as a web app on your home screen.

Note: This feature may not be available in some browsers.

• This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register. By continuing to use this site, you are consenting to our use of cookies. Accept Learn more…

Navigation Menu

Search code, repositories, users, issues, pull requests..., provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

• Notifications

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GetAppGroupAssignment failed with (0x87d00215). #183

Henrikcj commented Nov 4, 2021

Kraktorist commented Nov 5, 2021

Sorry, something went wrong.

No branches or pull requests

Modern IT – Cloud – Workplace

Enterprise Mobility and the Microsoft Cloud

Intune application targeting for Windows 10 Win32 apps explained

In this article we will dive into the basics of Windows 10 application assignments (Win32 apps) in Intune and the various differences depending on the situation (single user associated device, shared devices, non-primary devices). Microsoft Intune differentiates between the install intent based on the app assignment (required install, available for enrolled devices, or uninstall). Actually this is only one piece to control the behavior. We also need to assign an user group or device group for the app install intent. Lastly the fact if a user is the primary user of the device will also influence the ability to install applications. Summarized we control the install of Windows 10 Win32 applications through the following facts:

App install intent:

• Required assignment
• Available for enrolled devices assignment
• Uninstall assignment

Group assignment:

• User group assignment
• Device group assignment

Additional properties:

• Primary user of the device

If we have a look at the application assignment screen we will see the options from above except the primary user behavior as this is an implicit behavior which I will explain later in the article:

Let’s start with a required user assignment of our demo application 7-zip. I will not walk through every combination but I will show the most important ones to get the general understanding. I have chosen to “ Show all toast notifications ” and availability and install “ As soon as possible “:

The Intune Management Extension (IME) is the small helper agent on Windows 10 responsible to install our apps (See my deep dive on IME here: Part 1 , Part 2 , Part3 ). The regular polling interval of the IME is every 60 minutes. Within the next 60 minutes the user will see the notification of the required change (Tip: for debugging or testing you can restart the service “Microsoft Intune Management Extension”, this will trigger an instant lookup for a new policy, the new install intent):

the user will be notified of the download progress:

and finally the success message if everything went successful or a failed message in case of an error:

This behavior is always the same when the end user notification is set to “ Show all toast notifications “. Meaning you can use user or device based assignments and even set to required or available for enrolled devices. If you have chosen to hide the toast notifications they are simply not shown.

This is pretty straight forward and basic application distribution.

What about “available for enrolled devices”, how are they made visible to the end user?

First we need the Company Portal on the device. This can be achieved by installing it via the built in Windows 10 Microsoft Store, just search for Company Portal and install it:

If you have setup the Microsoft Store for Business (MSfB) integration with Intune you can also assign the Company Portal to your users directly via Intune as a required install. The client will reach out to the Microsoft Store and downloads the latest version and installs it on the device. This is the recommended way of distributing the Company Portal.

If you did not integrate Microsoft Store for Business with Intune or you have troubles because of connectivity to the Microsoft Store, you might have blocked network access to the Microsoft Store or Conditional Access requires a compliant device to authenticate to the Microsoft Store but the device is not flagged as compliant in time during OOBE phase, you can use the Offline version of the Company Portal . After you followed the linked guide and imported the offline version you will see the “Company Portal (Offline)” version as well:

Keep in mind that the Company Portal (Offline) version should be assigned to a device group to work properly.

As soon as you deployed the Company Portal you will see all apps which are assigned as “Available for enrolled devices” to your user groups like this:

After a click on one of the apps and choosing Install you will see the same toast messages and some progress status within the Company Portal about the install. Finally the software gets installed on the device.

Let’s summarize what we have seen so far. We can assign apps as required for install without user interaction and we can make them available via Company Portal. We have options to show or hide the additional toast messages. What I did not mentioned until now is that we also have an option to specify a time window when to make the app available and the final installation deadline.

These options should give you enough flexibility to install your necessary apps for the users and provide them an additional catalog of available apps for install on their personal needs.

For typical user devices, devices which belong to one person, this is basically all we need. We are assigning all the apps to a user as required or available and even in case the person gets a new device, all the required apps getting installed again and others are available for install. Great, this is a true user to app relationship and the device does not matter in that situation. Device based assignments do have the problem that the management system looses all assignments when a device gets replaced. This is not the case with user assignments and this normally greatly simplifies internal processes around application assignments.

What about the primary user of the device and app assignments?

If we have a closer look at the devices in Intune we will see two properties, Enrolled by and Primary User :

It might look like that these properties don’t have any impact but this is not true. The primary user of a device controls the ability to install available apps! This is quite important to know as it will have some consequences.

Let’s have a look at the typical user device, belonging to one person (Autopilot user-driven deployment). This person can install all his software on his device. As soon as a user logs in to a device where he is not primary user the Company Portal will not let him install any apps:

Actually this is a good thing as it prevents people from doing unnecessary application installs when users are using other devices in situations where they might have forgotten their own device or in case they just want to look up something quickly and only having access to a colleagues devices.

As soon as we convert a device to a shared device by enrolling it without a primary user (Autopilot self-deploying mode) or removing it as soon as the feature becomes available, we will get the chance to install the apps again. A shared device has no primary user:

And will show the apps again in the company portal:

Is there a way to change the primary user of a device?

Currently there is no way to do this, but it is in development ( Intune features in development – 19th of February 2020). Microsoft Intune will provide a way to change the current primary user to a different one for Hybrid and Azure AD joined devices (not co-managed devices!). This way a device can easily re-purposed and given to a different user. Within Intune on the device object there will be some UI controls to change or remove the primary user in future.

Right now, it is possible to change or remove the primary user of a device by utilizing a complete reset. For Azure AD joined devices a Windows Autopilot Reset will remove the primary user and the next user who signs in after the reset will be set as the primary user.

UPDATE (Week of March 9, 2020): Change Primary User for Windows devices has been released https://techcommunity.microsoft.com/t5/intune-customer-success/change-the-intune-primary-user-public-preview-now-available/ba-p/1221264

What about shared multi-user devices?

As soon as we support multi-user devices we need to enroll them as shared device , or remove the primary user (with the upcoming feature) to get the available apps functionality in company portal. Another option would be to use device group assignments for applications in Intune. If we have chosen user assignments as required app installs, even when I’m not the primary user of the device, the app gets installed. This could result in installations when users with required installs are switching devices!

Ideally Intune would support user assigned, required app installs for “primary users only” to prevent unnecessary installs.

A possible idea to prevent this from happening is, using some clever scripting logic within the app packages.

A device enrolled as Autopilot user-driven deployment, but used as a shared device, is still bound to the enrollment user. In that case the “available apps” are not available in the company portal. Required apps assigned to the user would be installed:

There is the option in Intune to use device group assignment for required app installs. We can assign applications to device groups as required install to prevent switching users triggering required installs. We can choose the same toast notification behavior and availability/deadlines.

If we use device assignments we have to deal with some extra situations. In case of device replacement the app assignments need to be restored for the new device. Device based assignments are also challenging as Azure AD dynamic device groups only have a limited set on attributes available for grouping devices. (see Dynamic membership rules for groups in Azure Active Directory ).

This makes it difficult to automatically group all devices based on custom attributes. For example attributes representing basic things like the region like EU, US or more specific Germany, Spain, France etc. would be great. I can imagine all kind of situations where some additional attributes would be a live saver. Imagine two attributes like shared device and region. This would give us the chance to group shared devices by region or country and then assign them necessary apps for required install. Hopefully Microsoft will provide something like this in future, we have to wait and see. For now we need to find our own ways to deal with this situation. A possible way is to use Autopilot Group Tag to group your devices:

That way we can introduce some tags which can be used for grouping in dynamic AAD device groups.

What I see in addition here is custom scripting to populate the Azure AD device groups, maybe with the help of an Azure Automation PowerShell Runbook , or implementing enough logic within the apps to control the install at application level. For example an application install wrapper can check if the device is ready to install based on some properties. This could be implemented by using the App requirement rules (see my fellow Peter van der Woude’s blog for some details “ Working with (custom) requirements for Win32 apps “) or logic within an install wrapper (PowerShell wrapper script for example). That way we could evaluate registry keys etc. before triggering the application install. A downside of custom attributes on the devices are a chicken and egg situation, as Intune apps don’t have any order how they are installed on the device (typically the Intune PowerShell scripts are applied early in the process but this is not guaranteed). An app requiring a specific registry key may fail as the preparation app package, writing the necessary registry keys, may not be executed as the first app in the total assignment of apps. Another downside of applications assigned to a large audience and relying on requirement rules is that we generate unnecessary load on our endpoints.

Tell me something about uninstall assignments?

Finally you can also assign apps for uninstall when they are previously installed as required or available for enrolled devices. We can’t uninstall apps which are not installed by Intune. Here we would need to create a custom Win32 app (.intunewin) containing a wrapper script to uninstall certain apps and then assign this app for install.

Conflicting app intents based on multiple assignment?

If we produce multiple assignments because of different group memberships you can follow the Microsoft article “ How conflicts between app intents are resolved ” to get aware of the final behavior.

As you can see on single user devices we have a well thought solution and even shared multi-user devices can be covered if we add some grouping logic. I hope this clarifies the general Intune behavior based on the different Windows 10 app assignments. Happy app deploying!

Share this:

• Click to share on Twitter (Opens in new window)
• Click to share on Facebook (Opens in new window)
• Click to share on LinkedIn (Opens in new window)
• Click to share on Pinterest (Opens in new window)

15 replies to Intune application targeting for Windows 10 Win32 apps explained

You could target your regional shared devices with an autopilot profile per region and then target a dynamic group that contains that autopilot profile. This should survive a device reset and if you’re deploying at scale, be something that your OEM vendor can align from the factory

Correct, this can be a way to introduce a custom attribute, it won‘t survive replacement but a custom attribute is available with that. Actually we also can modify the group tag since some time, so we have some kind of flexibility here. But again I think some extensionAttributes like we have on the user object would be very helpful. Good comment anyway, should be really considered during designing 👍

Hello Oliver, we are in the process of preparing intune and autopilot/white glove for 300+ devices. Until now, we wanted to deliver as much software as possible through the white glove process (device-bound software assignment). But your recommendation is aimed at user-bound. It would be nice if the White Glove process could consider the assigned user in autopilot devices and install the user-bound apps. Do you have more information or a recommendation? Or should it work like described but doesn’t apply to hybrid joined devices?

Yeah, actually this is not an easy task. I’m not saying you have to use user assignments for every situation. Currently the primary user support is expandable imho, but I’m not aware when we get enhancements here. In your case it makes sense to use device assignments for that process. I’ve updated the post a bit to shed some more light on this.

Does the restriction that only the primary user can install apps on his device also apply if you assign the app as required to another user? Or only if it’s assigned as available?

I’ve updated the post to be more clear here, thanks for the feedback,

Hi Olivier,

great article! For the Uninstall… a few questions that I haven’t found answers yet. – App must be installed by Intune in order to be uninstalled? I mean, really? if the detection job did the trick, the uninstall string wouldn’t work at all? a bit odd when you have legacy computers that you now manage that already had the application installed prior to being Intune managed, or even if the app came from SCCM/Co-Management… – When targeting a group to uninstall, does it behave as an exclude for the required on top of the uninstall? For example, the required is targeted to all device/users, and target a group to uninstall, should that group be set to Required+exclude?

thanks! Jonathan

Hi Jonathan,

The easiest way of such an cleanup in these situations is to build a intune package with an install command which actually runs a PowerShell script which does the uninstall of the app(s). These apps may then previously installed by whatever it was (SCCM, manual, other software management tool).

Uninstall does not have higher preference as required. See the App install intents and how they are resolved here: https://docs.microsoft.com/en-us/mem/intune/apps/apps-deploy#how-conflicts-between-app-intents-are-resolved . So yes you would need to exclude from required and target the uninstall, otherwise the required will be the final result and uninstall will never happen.

best, Oliver

Thanks for the answer.

With that said, Required wins over uninstall. but here’s another catch that is not covered in the Conflict table. All users: required User Group A: Excluded required User Group A: Uninstall

Somehow, this makes users loop between Install and Uninstall… Within the same day, Install/Uninstall will happen 2-3 times. I was able to reproduce this for multiple users.

The expected behavior would be that because of the Exclude, the Uninstall wins, but it doesn’t. If I begin to manage uninstall scripts on the side of the current application, it will become a mess eventually 😉

Hey Jonathan,

interesting catch! I need to test this myself, but as you wrote, the normal behavior should be that uninstall wins. Let me do some tests and I will come back with my observations and thought about this.

I’m testing some available win32 app installs via company portal and from this installed them on a device. I’ve created groups for required uninstalls and applied them to the apps – so when a machine requires the software removing, it should in theory come off . I add the machine name, hey presto under Managed Apps against the device it appears as Resolved intent=”Required uninstall” Installation status=”Installed”….. so it knows to remove the software. However a day later, and still nothing!!! Intune and the device are talking as other software has been added/removed via require mechanism. Any thoughts? We need that Uninstall button for available apps in the company portal!

Here is a good summary what happen when: https://docs.microsoft.com/en-us/mem/intune/apps/apps-deploy#how-conflicts-between-app-intents-are-resolved

Your problem is that you are trying to remove the software by using the device here:

User Available and Device Uninstall Intune resolves Available User Available and User Uninstall Intune resolves to Uninstall

Your scenario would only work with user in the uninstall group, but yeah I know it would trigger the uninstall on every device form the user, which might not the actual intent…

The whole Available scenario is currently not really feature complete. Most people are using required only because of this “gaps”. I hope they are addressed soon. But right now you have these downsides…

We have enrolled shared devices with autopilot self deploying-mode. Now if a user logs in with a special application assigned which needs a license this will be installed. All good so far, but if then another user logs in, which should not have this application installed, he can also sees this application. Is there a solution for that?

Best Regards

Not really, only way would be that your app (which needs a license) can be installed in user context. That way only the install user would see it, as it is in his user profile. Typical installs are not user installs, they are installed per-machine (in system context). So, if your special app does not support user-context install, you are not able to hide it from the second user once it is installed.

• Pingback: Intune App Packaging – A Beginners Guide Part 1 – Win32 – Andrew Taylor

Leave a comment Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed .

• Already have a WordPress.com account? Log in now.
• Subscribe Subscribed
• Copy shortlink
• Report this content
• View post in Reader
• Manage subscriptions
• Collapse this bar

Good Workaround!

Full IGA using Azure AD – Getting app role assignments using PowerShell

In this post I will quickly demo how to use PowerShell to get app role assignments for all application using the Microsoft Graph.

You should have followed my previous post in order to have created an application, added some appRoles to the manifest and granted access to the Graph.

Let’s recap the important parts:

1 – Create an enterprise application in Azure AD

2 – Go to “app registrations”, find the app and add appRoles to the manifest

The following are provided by default, disable those and add some custom ones. See the below example roles.

3 – Go back to enterprise applications and assign users some roles

4 – Grant access to the required Graph resources

Go to app registrations, find the application and go to “API permissions”. Click “Add a permission”:

Select the Microsoft Graph:

Choose Application permissions, as we are doing things without a user context:

Add “User.Read.All” and “Group.Read.All” and click save.

You will see that the added permissions now have “Not granted for <Organization>” as status. Click “Grant admin consent for <Organization>” in order to enable these new permissions:

This is what it should look like:

5 – Request data with PowerShell

First, generate a secret under app registrations in Azure AD. This is the $secret variable in the below PowerShells.

Go the enterprise application and copy the “Application ID” – this is the $clientid variable in the below PowerShells.

Copy “Object ID” – this is the $servicePrincipalId variable in the below PowerShells.

The $tenant variable can be either any custom domain registered in the tenant, the default domain or the tenant id (you can find it here) found on the app registrations page on your application.

The first example PowerShell will return a simple grid view with a multi valued column containing the roles of each assigned object. The script will not dig into the group members.

And here is an example for you that also digs into the different assigned groups and fetches all transitive members of those:

That’s it, I have now gone through three ways of getting the application role assignments from Azure AD into your application:

• SCIM provisioning
• At sign in (OAuth ID Token or SAML Claim)
• Fetching by Graph calls

The next posts will focus on how to actually manage application role assignments, dynamically assigning, using Entitlement Management to allow both internal and invited users to request access and other means. Stay tuned!

Share this:

• Full IGA using Azure AD

Published by Marius Solbakken

View all posts by Marius Solbakken

One thought on “ Full IGA using Azure AD – Getting app role assignments using PowerShell ”

• Pingback: Full IGA using Azure AD – Entitlement Management – Good Workaround!

Leave a comment Cancel reply

• Already have a WordPress.com account? Log in now.
• Subscribe Subscribed
• Copy shortlink
• Report this content
• View post in Reader
• Manage subscriptions
• Collapse this bar

Manage App Groups with the Azure Portal

ⓘ Important This content applies to the Windows Virtual Desktop Spring 2020 update public preview with Azure Resource Manager objects. Click here for guides using Windows Virtual Desktop Fall 2019 release without Azure Resource Manager objects.

The Windows Virtual Desktop Spring 2020 update makes it possible to create and manage app groups with the Azure portal. RemoteApp application groups are used to publish Start menu apps. In addition, you can now use Azure Active Directory groups to create app group assignments.

In this post, I will walk you through managing app groups with the Azure portal, which includes:

• Creating assignments for the default desktop application group
• Creating additional RemoteApp groups
• Publishing Start menu apps to RemoteApp groups
• Registering a RemoteApp group to a workspace
• Creating assignments for a RemoteApp group

Desktop application group

When you created your host pool a default app group was created. This app group is called the desktop application group and it publishes the full desktop. If you want users to be able to access the full desktop, you will need to create assignments for this app group.

• Sign into the Azure portal.
• Search for Windows Virtual Desktop , and select Windows Virtual Desktop under Services

• On the Windows Virtual Desktop pane, under Manage , select Host pools.

• Select the appropriate host pool from the list.

• On the host pool details pane, under Manage, select Application groups.

Here you will see a list of the application groups for the host pool. The only one listed is the default desktop application group that was created with the host pool. Notice the application group type is desktop. This app group publishes the full desktop, so applications is listed as zero. Users is also zero, indicating no assignments have been created for this app group.

• Select the desktop application group. This brings you to the overview of the app group.

• Under Settings select Properties. Here you can change the Friendly name and Description.

• Under Manage, select Assignments. By default, there are no users or user groups assigned. Select Add.

• Search for and select the users or user groups you wish to grant access to the desktop application group. You can add multiple users or user groups, or any combination of each. Then select Select.

• Select Refresh if necessary, and you will see the users and user groups that have assignments listed.

Prior to the WVD Spring 2020 update, assignments were administered using PowerShell, and you could only add users, by UPN, one user at a time. Now you can add assignments to user groups, and control access by modifying the group membership. This is a big improvement and a time saver.

If you navigate back to the host pool overview and select Application groups, you will notice the Users column shows one, even if you added a user group with several members. It is a little misleading, each group is counted as one assignment, regardless of how many members the group has.

Create a RemoteApp group

In addition to the desktop application group, you can create one or more RemoteApp groups. These groups are used to publish individual Start menu apps.

There are two ways to begin creating a RemoteApp group:

• From the Windows Virtual Desktop overview, select Application groups and then select Add.

• From within the host pool, under Manage select Application groups and then select Add.

If you start from within the host pool, the app group will be added to that host pool. If you start from the WVD overview, you will have to specify which host pool to add the app group to. These steps will start from within the host pool.

On the Basics tab:

• Subscription: Select the subscription you are creating the WVD resource in.
• Resource group: Click Create new to create a new resource group or select an existing resource group to create the app group in.
• Host pool: If necessary, specify the host pool to create the app group in.
• Location: If necessary, specify the location to store the metadata.
• Application group type: Select RemoteApp . You can only have one Desktop app group per host pool, so if one already exists, Desktop will be greyed out.
• Application group name: Enter a name for the RemoteApp group.

Select Next: Assignments.

Assignments

On the Assignments tab:

• Select Add Azure AD users and user groups (you can skip this step if you want to add assignments later)

• Search for and select the users or user groups you wish to grant access to the application group. You can add multiple users or user groups, or any combination of each. Then select Select.

Select Next: Applications.

Applications

On the Applications tab:

• Select Add application (you can skip this step if you want to add applications later)

• On the Add application blade:

• Application source: Add an application from the Start menu or from a file path.

If you choose Start menu :

• Application: Select an application from the dropdown list. This list is populated from the applications installed on the session hosts in the host pool. I used an image that included Office 365, so Office applications are available to add to the app group.

Once you select an app from the list, the app details will fill in automatically. Select Save.

If you choose File path:

• Application path: Enter the path to the application executable.
• Application name:  Enter the name of the application.
• Display name: Enter a display name for the application (optional).
• Icon path: Enter the path to the icon for the application.
• Icon index: Enter the index value for the icon (0 to use the first icon in the file).
• Description: Enter a description of the application (optional).

Select Save.

• Repeat steps 1 and 2 to add as many times as necessary. An app group can contain one or many applications.

Select Next: Workspace

For users to access this app group, it must be registered to a workspace. By default, No is selected for Register application group. If you do not register the app group now, you will have to do it later before users can access it.

To register the app group now:

• Register application group: Yes
• Register application group: (should say “ To this workspace” I think) Select the workspace to register the app group with. All app groups in a host pool must be registered to the same workspace. If you registered the default desktop application group to a workspace when you created the host pool, that workspace will be selected, and you will not be able to change it.

Tags are used to categorize resources in Azure for viewing and billing, but they are optional. If you want to create and assign tags, select Next: Tags and fill in the name/value pairs.

Once you have completed the Tags tab, or if you choose not to assign tags, select  Review + create.

Review + create

On the review + create tab, you have a chance to review the information about your app group and make sure it looks correct. If it does not, select  Previous  to go back and make the appropriate changes. Azure will run your template through a validation process as well. If all the required information has been provided you will see a green bar stating  Validation passed.  If validation fails, read the error to determine what needs to be fixed.

Once you are satisfied with the information and validation passes, select  Create  to create the app group.

In a matter of minutes, less most likely, your app group will be created.

Now if you go back to the details of your host pool and select Application groups , you will see the new app group.

If you select the app group, you can manage the app group, including adding or removing applications…

…and adding or removing assignments.

You can create as many RemoteApp application groups as you need. You can assign users and user groups to as many app groups as necessary to give them the applications they need. This gives you incredible flexibility. Simply adding a user to the correct Azure AD groups can ensure they have access to the applications they need. No need to create or maintain multiple images.

What’s Next?

One of the great benefits of Windows Virtual Desktop is that users can connect from anywhere, from just about any device. This also introduces some risk. Next, we will look at requiring multi-factor authentication to increase security when user connect to WVD.

Make sure to check out more great articles at ITProTV

Want to see it in action? Get a free preview of my Hands-on with WVD course at ITProTV. https://www.itpro.tv/courses/microsoft/windows-virtual-desktop/

Categories:

Comments are closed

Connect with me:

• Certification (1)
• Miscellaneous (1)
• PowerShell (1)
• Windows 10 (1)
• Windows Admin Center (1)
• Windows Virtual Desktop (8)
• November 2019
• Certification
• Miscellaneous
• Windows Admin Center
• Windows Virtual Desktop

Address 123 Main Street New York, NY 10001

Hours Monday–Friday: 9:00AM–5:00PM Saturday & Sunday: 11:00AM–3:00PM

Bulk Assigning Apps and Policies in Intune

Sometimes when working with an Intune environment, I find myself needing to assign all of the policies, apps etc. to a new Entra ID Group (new UAT group, changing from All Users etc.)

Currently, this is a VERY manual process, clicking on each in the web portal and then assigning, but thanks to PowerShell and Microsoft Graph (and a touch of JSON), now it’s possible.

Introducing the Bulk Assignment GUI Tool

As with all scripts, it is available on Github here and also on PowerShell Gallery

I’m not going to run through the whole code here, but to run through what it does:

First up it installs the Intune Graph PowerShell modules in the current user context

Then it will bring a prompt to connect to Entra ID and grab all of the Entra groups to populate the group drop-down

Once the GUI loads, you can pick what you want to assign and to which group.

On clicking Assign, it gets the ID of the Entra group, loops through everything in the selected categories and assign to the selected group.

For Windows, iOS and Android apps, it will assign the applications as Available to avoid having potentially hundreds of apps auto-installing!

For MacOS, Available isn’t an option so this will mark as required so be extra careful with these

Hope this is of some use, happy assigning!!

58 thoughts on “Bulk Assigning Apps and Policies in Intune”

Thanks for the tool but at this stage it’s no use for me and I work with Windows and IOS and not having the option to assign groups as REQUIRED is a setback. I never use AVAILABLE. A wish for this tool is to have a dropdown list to select the type of assignment.

Thanks for the feedback! I have updated the script now to give a drop-down for the assigned intent so you can select Available or Required

This doesn’t seem to populate any fields for the AADGroup dropdown? I am reluctant to press “Assign” with any options as this doesn’t feel right.

Can you check if it authenticated against AzureAD ok?

nice tool! Unfortunately it doesnt show all Azure AD Groups? I have a Group name Structure “ABC-DEF-GHIJK (LMNO)” and it wont shop up.

I’ve just released an update, can you try that please?

Thanks for quick response!

No didnt show up 🙁 maybe its because Groups are limited to 99? We have over 1000 AD Groups. If i enter the group name manually it always says

Get-MgGroup : Unsupported or invalid query filter clause specified for property ‘displayName’ of resource ‘Group’. […] No Target Group Id specified, specify a valid Target Group Id

Ah, it could be. I’ve added “-All” to the Get-MGGroup command so can you see if that supports more than 100? Otherwise I’ll look at allowing free text in the field

now all groups are shown, thanks! Yes, maybe a free text field would be helpful.

But now I get another error after press “Assign”

Shell: Getting Applications No Install Intent specified, specify a valid Install Intent – available, notApplicable, required, uninstall, availableWithoutEnrollment

Are you assigning applications or just everything else?

I’ve spotted the problem, I can’t spell! Try again now

Thank you very much!

Works as expected now and saved us lot of time 😉

Hello Andrew,

when we assign our group to ios apps, they are stored as user license, but we need them to be as device license. Do you know what we need to adjust?

Regards, Florian

Hi Florian,

If it’s VPP apps, you need to add settings into the JSON in the Add-ApplicationAssignment function (I would probably create another function for it):

Function Add-ApplicationAssignmentVPPiOS() {

[cmdletbinding()] param ( $ApplicationId, $TargetGroupId, $InstallIntent ) $graphApiVersion = “Beta” $Resource = “deviceAppManagement/mobileApps/$ApplicationId/assign” try {

if (!$ApplicationId) { write-host “No Application Id specified, specify a valid Application Id” -f Red break } if (!$TargetGroupId) { write-host “No Target Group Id specified, specify a valid Target Group Id” -f Red break }

if (!$InstallIntent) { write-host “No Install Intent specified, specify a valid Install Intent – available, notApplicable, required, uninstall, availableWithoutEnrollment” -f Red break } $JSON = @” { “mobileAppAssignments”: [ { “@odata.type”: “#microsoft.graph.mobileAppAssignment”, “settings”: { “@odata.type”: “#microsoft.graph.iosVppAppAssignmentSettings”, “isRemovable”: true, “uninstallOnDeviceRemoval”: false, “useDeviceLicensing”: true, “vpnConfigurationId”: null }, “target”: { “@odata.type”: “#microsoft.graph.groupAssignmentTarget”, “groupId”: “$TargetGroupId” }, “intent”: “$InstallIntent” } ] } “@ $uri = “https://graph.microsoft.com/$graphApiVersion/$($Resource)” Invoke-MgGraphRequest -Uri $uri -Method Post -Body $JSON -ContentType “application/json” } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host “Response content:`n$responseBody” -f Red Write-Error “Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)” write-host break } }

Then change this to use the new function: if ($ios.checked -eq $True) { ##Assign iOS apps

foreach ($iosapp in $iosapps) { Add-ApplicationAssignment -ApplicationId $iosapp.id -TargetGroupId $intunegrp.Id -InstallIntent $assignmenttype Write-Host “Assigned $($intunegrp.DisplayName) to $($iosapp.displayName)/$($iosapp.id)” -ForegroundColor Green

} Add-Type -AssemblyName PresentationCore, PresentationFramework $msgBody = “iOS Apps Assigned” [System.Windows.MessageBox]::Show($msgBody) }

I hope this helps

Very useful script, thanks. I assigned iOS apps but then realised they were user not device! So used your tip above to amend the script but now when running again to reassign correctly, I get “Method invocation failed because [System.Net.Http.HttpResponseMessage] does not contain a method named ‘GetResponseStream’.” which I think relates to where the app already has an assignment of that type e.g. “available”? or maybe where it’s trying to overwrite with group of the same name? Any thoughts on how I can resolve this?

Can you contact me via the form on here and I’ll grab a copy of what you’ve done so far and see what I can do

I’m getting error responses when attempting to assign applications to any group on intune. Is there an issue with assigning Android Enterprise applications maybe? The script was able to bulk assign iOS apps.

It did assign one app from managed google play, but it is a web app.

I get the following error. I’m wondering if I made some weird rookie mistake.

Method invocation failed because [System.Net.Http.HttpResponseMessage] does not contain a method named ‘GetResponseStream’. At C:\Users\matthew.bostic\Documents\PowerShell\Scripts\bulk-assign-intune.ps1:3113 char:9 + $errorResponse = $ex.Response.GetResponseStream() + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : MethodNotFound

Hi, What assignment intent are you setting? Android Enterprise apps can only do Required so if you’re selecting Available, that will cause an error

Thank you for your quick response.

That would in fact be the issue then.

One more thing, is there not a way for this to apple to AE apps where we can just make them available? That can be done manually for “All Users”, otherwise we are looking at making all of the apps download automatically. With other MDMs this has created a huge issue with Google Services.

If this won’t work, it definitely defeats the purpose of this script for me, but I may be going about this the wrong way. I’m at the very beginning with Intune.

Is it definitely Android Enterprise apps you are looking at? In my tenant I can’t make them available at all, it’s required or uninstall only.

I just realized, the term I meant was “Managed Google Play store app”, not Android Enterprise app.

When the script goes through those applications, it errors out, except for Web Apps.

Ah, in that case, edit the script and find the add-applicationassignment function (should be around line 2998) and replace the JSON with this: { “mobileAppAssignments”: [ { “@odata.type”: “#microsoft.graph.mobileAppAssignment”, “intent”: “Available”, “settings”: { “@odata.type”: “#microsoft.graph.androidManagedStoreAppAssignmentSettings”, “androidManagedStoreAppTrackIds”: [], “autoUpdateMode”: “default” }, “target”: { “@odata.type”: “#microsoft.graph.allLicensedUsersAssignmentTarget” } } ] }

not working i am getting an error when the script tries to assign the apps Getting Applications Method invocation failed because [System.Net.Http.HttpResponseMessage] does not contain a method named ‘GetResponseStream’. At C:\Users\YacovMor\OneDrive – Solutech\Scripts\Assign Bulk Intune.ps1:3144 char:9 + $errorResponse = $ex.Response.GetResponseStream() + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : MethodNotFound

What kind of apps are you trying to assign?

Since the latest update I just get stuck at

Installing Microsoft Graph modules if required (current user scope)

I really want to assign managed store apps and ONLY managed store apps en-masse across the selected device group, is this possible?

Or rather, only those that have been approved.

iOS or Android?

If it’s Apple VPP apps, try this one: https://github.com/andrew-s-taylor/public/blob/main/Powershell%20Scripts/Intune/bulk-assign-intune-vpp.ps1

Hey Andrew,

Thanks for your efforts on this script. I needed exactly this to get some Apple VPP and Android Managed Google Play apps deployed in bulk.

The only thing that I found was a problem was that the assign method would wipe any existing assignments for an app. I could see you put a failsafe on the VPP apps that it would simply not allow it. I’m not an elegant coder, but for Android and VPP I was able to add some code to pull down any existing assignments, then re-apply those assignments along with the new one so that everything existing remained there.

Happy to share this with you.

Glad you got it working ok, assignments are a pain, it would be nice if there was the option to add rather than having to amend.

Happy to share your copy 🙂

I could see that the assignment ID is just the groupid plus a numerical value for the assignment intent, so originally I tried to just set that but it wouldn’t work. At the moment I don’t see another way but to pull the existing assignments down.

I sent you a message with the script. I’m sure there’s better ways to dynamically create json code, etc. It’s really more of a ‘how-to’ that I put together late at night.

I know it’s a bulk add but can I assign one group and one application at a time if needed?

Thanks Greg

Not with this script, but you could add an out-gridview at certain points to select which application to assign

I tried to use the “bulk-assign-intune-vpp.ps1” to assign apps to “All Users” as available. During processing it gives follwoing error: Line | 945 | $errorResponse = $ex.Response.GetResponseStream() | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Method invocation failed because [System.Net.Http.HttpResponseMessage] does not contain a method named | ‘GetResponseStream’.

Did you amend the JSON for All Users? It won’t work with a group ID

No I did nothing extra – just ran the script. I guess I can find how to amend the JSON file in the comments?

Ok I have no clue 😀 Can you give me little guidance what I have to do?

Change line 931-934 from this: "target": { "@odata.type": "#microsoft.graph.groupAssignmentTarget", "groupId": "$TargetGroupId" },

To this: "target": { "@odata.type": "#microsoft.graph.allLicensedUsersAssignmentTarget" },

Thanks for the prompt answer – unfortunately it shows the same error:

Line | 944 | $errorResponse = $ex.Response.GetResponseStream() | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Method invocation failed because [System.Net.Http.HttpResponseMessage] does not contain a method named | ‘GetResponseStream’.

You might need to step through and see what’s happening, I’ve just tested it in my tenant and it seems to be working as expected

It fetch up all the applications successfully and also notice when an assignment already exist but stucks always at line 944. In the beginning it shows a issue already at Line 1735. Unfortunately my coding skills to poor to troubleshoot :/

Getting Applications InvalidOperation: C:\temp\scripts\bulk-assign-intune-vpp.ps1:1735 Line | 1735 | … if (($intents.intent.contains(“required”)) -or ($assignedgrou … | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | You cannot call a method on a null-valued expression. InvalidOperation: C:\temp\scripts\bulk-assign-intune-vpp.ps1:944 Line | 944 | $errorResponse = $ex.Response.GetResponseStream() | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Method invocation failed because [System.Net.Http.HttpResponseMessage] does not contain a method named | ‘GetResponseStream’. Assigned All Users to Adobe Acrobat Reader: Edit PDF/cfd21bb9-1709-4d84-a7ef-2bf3e8dff0e6 InvalidOperation: C:\temp\scripts\bulk-assign-intune-vpp.ps1:944 Line | 944 | $errorResponse = $ex.Response.GetResponseStream() | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Method invocation failed because [System.Net.Http.HttpResponseMessage] does not contain a method named | ‘GetResponseStream’. Assigned All Users to Rail Map Lite/a0215496-0945-4645-aefa-262ccea2c161 Application already has an assignment InvalidOperation: C:\temp\scripts\bulk-assign-intune-vpp.ps1:944 Line | 944 | $errorResponse = $ex.Response.GetResponseStream() | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Method invocation failed because [System.Net.Http.HttpResponseMessage] does not contain a method named | ‘GetResponseStream’.

See if this works: https://github.com/andrew-s-taylor/public/blob/main/Powershell%20Scripts/Intune/bulk-assign-vpp-apps-only.ps1

This worked like a charm 🙂 Thank you so much.

Celebrated to early – it put all Apps on “required” instead on “available” which could become a pain now….

To mitigate the issue I removed and re-added the VPP Token from intune to get all assignments deleted again. I adjusted line 154 “intent”: “Required”, to “intent”: “Available”, but this throws errors.

Try the updated one now, I’ve switched it to Available

Unfortunately not :/

Assigning Adobe Acrobat Reader: Edit PDF Invoke-MgGraphRequest: C:\Scripts\bulk-assign-vpp-apps-only.ps1:171 Line | 171 | Invoke-MgGraphRequest -Uri $url -Method POST -Body $json -ContentType … | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | POST https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/2d497954-3541-4538-8d1b-f4877c41af54/assign | HTTP/1.1 400 Bad Request Transfer-Encoding: chunked Vary: Accept-Encoding Strict-Transport-Security: | max-age=31536000 request-id: 604b1879-7f87-4a63-ad45-8c224f7b9bca client-request-id: | 65b1ab6d-f495-4498-a745-c0974078cebc x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”Germany West | Central”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”005″,”RoleInstance”:”FR3PEPF000002DC”}} Date: Thu, 05 Oct 2023 | 20:55:09 GMT Content-Type: application/json Content-Encoding: gzip | {“error”:{“code”:”BadRequest”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”: \”IsRemovable setting is only | supported for Required intent. – Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 – | Activity ID: 65b1ab6d-f495-4498-a745-c0974078cebc – Url: | https://fef.msub03.manage.microsoft.com/AppLifecycle_2309/StatelessAppMetadataFEService/deviceAppManagement/mobileApps('2d497954-3541-4538-8d1b-f4877c41af54 ‘)/microsoft.management.services.api.assign?api-version=5023-08-07\”,\r\n \”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”: null,\r\n \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”: \”{}\”\r\n}”,”innerError”:{“date”:”2023-10-05T20:55:09″,”request-id”:”604b1879-7f87-4a63-ad45-8c224f7b9bca”,”client-request-id”:”65b1ab6d-f495-4498-a745-c0974078cebc”}}}

Is that definitely the latest version? The error is for a field which has been removed

Sry – it catched the old file. It does work now – thank you 🙂 For me it’s ok now – if it would notice existing assignments it has been perfect but there just a few.

Very useful tool! Keep it up! As an improvement i believe that will be useful to have a list selection for policies , applications etc. and not only categories.

Best regards, Alexandros

Thank you. Will definitely keep this in mind for a future release!

Thank you for this. I ran this to add a test user group to all the apps and noticed: 1. all existing assignments were removed and replaced with the test group. 2. assignments were done for all the apps including the previously un-assigned ones. It would be nice to have an option to not replace existing assignments and not assign to apps that are already not-assigned. Cheers.

I’ll see if I can work these changes into a future version

Hi Andrew, Love the idea with the script. I’m looking for a way to bulk add a Group to the Uninstall intent of iOS VPP. The idea is that I could have one Entra Group that I use to remove any and all installed apps from an iOS device before changing that devices assignment and re-installing only needed apps for it’s new purpose.

I tried modifying the script myself to add the Uninstall intent but it’s not working. I get a multiple of responses in the log.

Sometimes the reported response is “Assigned IOS_Clear to [AppID]” except when I check the app in Intune the IOS_Clear group was not added to the Uninstall.

Other times the response is “Application already has an assignment” which I presume is because it has a Group already in the Required or Available intent though I’m trying to add to the Uninstall intent.

The last response I get sometimes is the “Method invocation failed because [System.Net.Http.HttpResponseMessage] does not contain a method named ‘GetResponseStream'” error.

Hi, Here is one for just iOS VPP apps which might be worth trying: https://github.com/andrew-s-taylor/public/blob/main/Powershell%20Scripts/Intune/bulk-assign-vpp-apps-only.ps1

If they already have assignments, you will need to change the code a bit so it grabs the existing ones and then adds to it. I probably have some example code in another script if you need it

Leave a Comment Cancel reply

Save my name, email, and website in this browser for the next time I comment.

Accessibility

visibility_off Disable flashes

title Mark headings

settings Background Color

zoom_out Zoom out

zoom_in Zoom in

remove_circle_outline Decrease font

add_circle_outline Increase font

spellcheck Readable font

brightness_high Bright contrast

brightness_low Dark contrast

format_underlined Underline links

font_download Mark links

Reset all options cached

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Get-Mg Group App Role Assignment

Represents the app roles a group has been granted for an application. Supports $expand.

To view the beta release of this cmdlet, view Get-MgBetaGroupAppRoleAssignment

Description

Example 1: get approleassignments granted to a group.

This example get all app role assignments granted to the specified group.

List all pages.

-AppRoleAssignmentId

The unique identifier of appRoleAssignment

-ConsistencyLevel

Indicates the requested consistency level. Documentation URL: https://docs.microsoft.com/graph/aad-advanced-queries

-CountVariable

Specifies a count of the total number of items in a collection. By default, this variable will be set in the global scope.

-ExpandProperty

Expand related entities

Filter items by property values

The unique identifier of group

Optional headers that will be added to the request.

-InputObject

Identity Parameter To construct, see NOTES section for INPUTOBJECT properties and create a hash table.

Sets the page size of results.

-ProgressAction

{{ Fill ProgressAction Description }}

Select properties to be returned

-ResponseHeadersVariable

Optional Response Headers Variable.

Search items by search phrases

Skip the first n items

Order items by property values

Show only the first n items

Microsoft.Graph.PowerShell.Models.IApplicationsIdentity

System.Collections.IDictionary

Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAppRoleAssignment

COMPLEX PARAMETER PROPERTIES

To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.

INPUTOBJECT <IApplicationsIdentity> : Identity Parameter

• [AppId <String>] : Alternate key of application
• [AppManagementPolicyId <String>] : The unique identifier of appManagementPolicy
• [AppRoleAssignmentId <String>] : The unique identifier of appRoleAssignment
• [ApplicationId <String>] : The unique identifier of application
• [ApplicationTemplateId <String>] : The unique identifier of applicationTemplate
• [ClaimsMappingPolicyId <String>] : The unique identifier of claimsMappingPolicy
• [DelegatedPermissionClassificationId <String>] : The unique identifier of delegatedPermissionClassification
• [DirectoryDefinitionId <String>] : The unique identifier of directoryDefinition
• [DirectoryObjectId <String>] : The unique identifier of directoryObject
• [EndpointId <String>] : The unique identifier of endpoint
• [ExtensionPropertyId <String>] : The unique identifier of extensionProperty
• [FederatedIdentityCredentialId <String>] : The unique identifier of federatedIdentityCredential
• [GroupId <String>] : The unique identifier of group
• [HomeRealmDiscoveryPolicyId <String>] : The unique identifier of homeRealmDiscoveryPolicy
• [OAuth2PermissionGrantId <String>] : The unique identifier of oAuth2PermissionGrant
• [ServicePrincipalId <String>] : The unique identifier of servicePrincipal
• [SynchronizationJobId <String>] : The unique identifier of synchronizationJob
• [SynchronizationTemplateId <String>] : The unique identifier of synchronizationTemplate
• [TargetDeviceGroupId <String>] : The unique identifier of targetDeviceGroup
• [TokenIssuancePolicyId <String>] : The unique identifier of tokenIssuancePolicy
• [TokenLifetimePolicyId <String>] : The unique identifier of tokenLifetimePolicy
• [UniqueName <String>] : Alternate key of application
• [UserId <String>] : The unique identifier of user

Related Links

• https://learn.microsoft.com/powershell/module/microsoft.graph.applications/get-mggroupapproleassignment
• https://learn.microsoft.com/graph/api/group-list-approleassignments?view=graph-rest-1.0

Additional resources

• SCCM Client Installation Failed With Error Code 0x87d00215

SCCM client installation fails with error 0x87d00215 – Failed to get DP locations as the expected version from MP error. This error is mostly related with missing or misconfigured site boundaries.

The SCCM client installation fails with below error shown in ccmsetup.log file.

Failed to get DP locations as the expected version from MP ‘http://server1.techuisitive.com’. Error 0x87d00215

The below command line was used for the client installation.

ccmsetup.exe /SMSSITECODE = P01

The above error indicates that a new version of client installation source was required. However a distribution point could not be located.

Perform the following checks.

• Check if client subnet / AD Site is added in SCCM boundary.
• Check if IP Subnet / AD Site is associated with any boundary group.
• Check if respective boundary group is associated with a Distribution Point.

Related Posts:

• SCCM Application Deployment Failed with Error 0x87d01106 | ConfigMgr
• PXE-E99: Unexpected network error – SCCM OSD
• Configuration Manager OSD task sequence fails with error  code  0x80004005
• MECM OSD Task Sequence Failed with Error 0x80072EE7
• SCCM Client Push Installation Failed with Error 0x800706ba
• Failed to Add Update Source for WUAgent of type (2) and id ({ID). Error = 0x80004005
• SCCM OSD – Domain Join Failed with Error code 0x54b on HP Elitebook 840 G8
• ccmsetup failed with error code 0x87d00227
• Fix Application Deployment error 0x87d00213 in ConfigMgr
• CMG Connection Point Status Disconnected | SCCM | ConfigMgr
• CMG Setup – Subscription ID drop down not populating
• CMG Setup – Error when granting Contributor permission to the Azure AD app
• Failed to connect with DP – Error Code 0x8004100e | ConfigMgr | SCCM
• SCCM Client Installation Failed with error 0x87d0027e
• ConfigMgr OSD – PXE Troubleshooting
• SCCM WSUS sync error – Sync Failed – WSUS server not configured
• SCCM Software Distribution Troubleshooting

Subscribe to Techuisitive Newsletter

Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.

Recent Posts

Understanding sccm incremental collection , evaluation and monitoring.

Configuration Manager uses collection evaluation to update collection membership, based on the collection rules you define. Collection evaluation scope and timing differ depending on site and collection…

Read More »

How to Create , View and Organize SCCM Maintenance Windows

A Configuration Manager maintenance windows restrict the deployments on SCCM client during specified timeframe. The SCCM Maintenance Windows ensure that client configuration changes occur during…

How to Configure and Approve User Application Requests in SCCM

SCCM allows application deployment in way that it goes through approval process. Users requests the application in Software Center, and then an administrator review and…

How to Run script in SCCM without creating a package / application

Configuration Manager has an integrated ability to run PowerShell scripts. This can be used to build custom tools to perform quick actions on client machines.…

Management Point Installation Failed after SCCM 2303 Upgrade

Issue After SCCM 2303 Upgrade from 2111, the Management Point installation failed on all MPs with below error. Status Message: Site Component Manager could not…

SCCM SQL Query to list Desktop & Laptop Devices

SCCM SQL queries are great way to pull out information from SCCM database directly. As a SCCM administrator, you may encounter a situation where custom…

• Microsoft Power Automate Community
• Welcome to the Community!
• News & Announcements
• Get Help with Power Automate
• General Power Automate Discussion
• Using Connectors
• Building Flows
• Using Flows
• Power Automate Desktop
• Process Mining
• Power Automate Mobile App
• Translation Quality Feedback
• Connector Development
• Power Platform Integration - Better Together!
• Power Platform Integrations (Read Only)
• Power Platform and Dynamics 365 Integrations (Read Only)
• Community Connections & How-To Videos
• Webinars and Video Gallery
• Power Automate Cookbook
• 2021 MSBizAppsSummit Gallery
• 2020 MSBizAppsSummit Gallery
• 2019 MSBizAppsSummit Gallery
• Community Blog
• Power Automate Community Blog
• Community Support
• Community Accounts & Registration
• Using the Community
• Community Feedback
• Error in PowerApps for Admins (Preview) with Get A...
• Subscribe to RSS Feed
• Mark Topic as New
• Mark Topic as Read
• Float this Topic for Current User
• Printer Friendly Page
• All forum topics
• Previous Topic

• Mark as New
• Report Inappropriate Content

Error in PowerApps for Admins (Preview) with Get App Role Assignments as Admin

Solved! Go to Solution.

• Automated flows
• Business Process Flows

View solution in original post

Helpful resources

Community Roundup: A Look Back at Our Last 10 Tuesday Tips

As we continue to grow and learn together, it's important to reflect on the valuable insights we've shared. For today's #TuesdayTip, we're excited to take a moment to look back at the last 10 tips we've shared in case you missed any or want to revisit them. Thanks for your incredible support for this series--we're so glad it was able to help so many of you navigate your community experience!   Getting Started in the Community An overview of everything you need to know about navigating the community on one page!  Community Links: ○ Power Apps ○ Power Automate  ○ Power Pages  ○ Copilot Studio    Community Ranks and YOU Have you ever wondered how your fellow community members ascend the ranks within our community? We explain everything about ranks and how to achieve points so you can climb up in the rankings! Community Links: ○ Power Apps ○ Power Automate  ○ Power Pages  ○ Copilot Studio    Powering Up Your Community Profile Your Community User Profile is how the Community knows you--so it's essential that it works the way you need it to! From changing your username to updating contact information, this Knowledge Base Article is your best resource for powering up your profile. Community Links: ○ Power Apps ○ Power Automate  ○ Power Pages  ○ Copilot Studio    Community Blogs--A Great Place to Start There's so much you'll discover in the Community Blogs, and we hope you'll check them out today!  Community Links: ○ Power Apps ○ Power Automate  ○ Power Pages  ○ Copilot Studio    Unlocking Community Achievements and Earning Badges Across the Communities, you'll see badges on users profile that recognize and reward their engagement and contributions. Check out some details on Community badges--and find out more in the detailed link at the end of the article! Community Links: ○ Power Apps  ○ Power Automate  ○ Power Pages  ○ Copilot Studio    Blogging in the Community Interested in blogging? Everything you need to know on writing blogs in our four communities! Get started blogging across the Power Platform communities today! Community Links: ○ Power Apps  ○ Power Automate  ○ Power Pages  ○ Copilot Studio   Subscriptions & Notifications We don't want you to miss a thing in the community! Read all about how to subscribe to sections of our forums and how to setup your notifications! Community Links: ○ Power Apps  ○ Power Automate  ○ Power Pages  ○ Copilot Studio   Getting Started with Private Messages & Macros Do you want to enhance your communication in the Community and streamline your interactions? One of the best ways to do this is to ensure you are using Private Messaging--and the ever-handy macros that are available to you as a Community member! Community Links: ○ Power Apps  ○ Power Automate  ○ Power Pages  ○ Copilot Studio   Community User Groups Learn everything about being part of, starting, or leading a User Group in the Power Platform Community. Community Links: ○ Power Apps  ○ Power Automate  ○ Power Pages  ○ Copilot Studio   Update Your Community Profile Today! Keep your community profile up to date which is essential for staying connected and engaged with the community. Community Links: ○ Power Apps  ○ Power Automate  ○ Power Pages  ○ Copilot Studio   Thank you for being an integral part of our journey.   Here's to many more Tuesday Tips as we pave the way for a brighter, more connected future! As always, watch the News & Announcements for the next set of tips, coming soon!    

Calling all User Group Leaders and Super Users! Mark Your Calendars for the next Community Ambassador Call on May 9th!

This month's Community Ambassador call is on May 9th at 9a & 3p PDT. Please keep an eye out in your private messages and Teams channels for your invitation. There are lots of exciting updates coming to the Community, and we have some exclusive opportunities to share with you! As always, we'll also review regular updates for User Groups, Super Users, and share general information about what's going on in the Community.     Be sure to register & we hope to see all of you there!

April 2024 Community Newsletter

We're pleased to share the April Community Newsletter, where we highlight the latest news, product releases, upcoming events, and the amazing work of our outstanding Community members.   If you're new to the Community, please make sure to follow the latest News & Announcements and check out the Community on LinkedIn as well! It's the best way to stay up-to-date with all the news from across Microsoft Power Platform and beyond.    COMMUNITY HIGHLIGHTS   Check out the most active community members of the last month! These hardworking members are posting regularly, answering questions, kudos, and providing top solutions in their communities. We are so thankful for each of you--keep up the great work! If you hope to see your name here next month, follow these awesome community members to see what they do!   Power AppsPower AutomateCopilot StudioPower PagesWarrenBelzDeenujialexander2523ragavanrajanLaurensMManishSolankiMattJimisonLucas001AmikcapuanodanilostephenrobertOliverRodriguestimlAndrewJManikandanSFubarmmbr1606VishnuReddy1997theMacResolutionsVishalJhaveriVictorIvanidzejsrandhawahagrua33ikExpiscornovusFGuerrero1PowerAddictgulshankhuranaANBExpiscornovusprathyooSpongYeNived_Nambiardeeksha15795apangelesGochixgrantjenkinsvasu24Mfon   LATEST NEWS   Business Applications Launch Event - On Demand In case you missed the Business Applications Launch Event, you can now catch up on all the announcements and watch the entire event on-demand inside Charles Lamanna's latest cloud blog.   This is your one stop shop for all the latest Copilot features across Power Platform and #Dynamics365, including first-hand looks at how companies such as Lenovo, Sonepar, Ford Motor Company, Omnicom and more are using these new capabilities in transformative ways. Click the image below to watch today!   Power Platform Community Conference 2024 is here! It's time to look forward to the next installment of the Power Platform Community Conference, which takes place this year on 18-20th September 2024 at the MGM Grand in Las Vegas!   Come and be inspired by Microsoft senior thought leaders and the engineers behind the #PowerPlatform, with Charles Lamanna, Sangya Singh, Ryan Cunningham, Kim Manis, Nirav Shah, Omar Aftab and Leon Welicki already confirmed to speak. You'll also be able to learn from industry experts and Microsoft MVPs who are dedicated to bridging the gap between humanity and technology. These include the likes of Lisa Crosbie, Victor Dantas, Kristine Kolodziejski, David Yack, Daniel Christian, Miguel Félix, and Mats Necker, with many more to be announced over the coming weeks.   Click here to watch our brand-new sizzle reel for #PPCC24 or click the image below to find out more about registration. See you in Vegas!       Power Up Program Announces New Video-Based Learning Hear from Principal Program Manager, Dimpi Gandhi, to discover the latest enhancements to the Microsoft #PowerUpProgram. These include a new accelerated video-based curriculum crafted with the expertise of Microsoft MVPs, Rory Neary and Charlie Phipps-Bennett. If you’d like to hear what’s coming next, click the image below to find out more!   UPCOMING EVENTS Microsoft Build - Seattle and Online - 21-23rd May 2024 Taking place on 21-23rd May 2024 both online and in Seattle, this is the perfect event to learn more about low code development, creating copilots, cloud platforms, and so much more to help you unleash the power of AI.   There's a serious wealth of talent speaking across the three days, including the likes of Satya Nadella, Amanda K. Silver, Scott Guthrie, Sarah Bird, Charles Lamanna, Miti J., Kevin Scott, Asha Sharma, Rajesh Jha, Arun Ulag, Clay Wesener, and many more.   And don't worry if you can't make it to Seattle, the event will be online and totally free to join. Click the image below to register for #MSBuild today!   European Collab Summit - Germany - 14-16th May 2024 The clock is counting down to the amazing European Collaboration Summit, which takes place in Germany May 14-16, 2024. #CollabSummit2024 is designed to provide cutting-edge insights and best practices into Power Platform, Microsoft 365, Teams, Viva, and so much more. There's a whole host of experts speakers across the three-day event, including the likes of Vesa Juvonen, Laurie Pottmeyer, Dan Holme, Mark Kashman, Dona Sarkar, Gavin Barron, Emily Mancini, Martina Grom, Ahmad Najjar, Liz Sundet, Nikki Chapple, Sara Fennah, Seb Matthews, Tobias Martin, Zoe Wilson, Fabian Williams, and many more.   Click the image below to find out more about #ECS2024 and register today!     Microsoft 365 & Power Platform Conference - Seattle - 3-7th June If you're looking to turbo boost your Power Platform skills this year, why not take a look at everything TechCon365 has to offer at the Seattle Convention Center on June 3-7, 2024.   This amazing 3-day conference (with 2 optional days of workshops) offers over 130 sessions across multiple tracks, alongside 25 workshops presented by Power Platform, Microsoft 365, Microsoft Teams, Viva, Azure, Copilot and AI experts. There's a great array of speakers, including the likes of Nirav Shah, Naomi Moneypenny, Jason Himmelstein, Heather Cook, Karuana Gatimu, Mark Kashman, Michelle Gilbert, Taiki Y., Kristi K., Nate Chamberlain, Julie Koesmarno, Daniel Glenn, Sarah Haase, Marc Windle, Amit Vasu, Joanne C Klein, Agnes Molnar, and many more.   Click the image below for more #Techcon365 intel and register today!     For more events, click the image below to visit the Microsoft Community Days website.      

Tuesday Tip | Update Your Community Profile Today!

It's time for another TUESDAY TIPS, your weekly connection with the most insightful tips and tricks that empower both newcomers and veterans in the Power Platform Community! Every Tuesday, we bring you a curated selection of the finest advice, distilled from the resources and tools in the Community. Whether you’re a seasoned member or just getting started, Tuesday Tips are the perfect compass guiding you across the dynamic landscape of the Power Platform Community.   We're excited to announce that updating your community profile has never been easier! Keeping your profile up to date is essential for staying connected and engaged with the community.   Check out the following Support Articles with these topics: Accessing Your Community ProfileRetrieving Your Profile URLUpdating Your Community Profile Time ZoneChanging Your Community Profile Picture (Avatar)Setting Your Date Display Preferences Click on your community link for more information: Power Apps, Power Automate, Power Pages, Copilot Studio   Thank you for being an active part of our community. Your contributions make a difference! Best Regards, The Community Management Team

Hear what's next for the Power Up Program

Hear from Principal Program Manager, Dimpi Gandhi, to discover the latest enhancements to the Microsoft #PowerUpProgram, including a new accelerated video-based curriculum crafted with the expertise of Microsoft MVPs, Rory Neary and Charlie Phipps-Bennett. If you’d like to hear what’s coming next, click the link below to sign up today! https://aka.ms/PowerUp  

Super User of the Month | Ahmed Salih

We're thrilled to announce that Ahmed Salih is our Super User of the Month for April 2024. Ahmed has been one of our most active Super Users this year--in fact, he kicked off the year in our Community with this great video reminder of why being a Super User has been so important to him!   Ahmed is the Senior Power Platform Architect at Saint Jude's Children's Research Hospital in Memphis. He's been a Super User for two seasons and is also a Microsoft MVP! He's celebrating his 3rd year being active in the Community--and he's received more than 500 kudos while authoring nearly 300 solutions. Ahmed's contributions to the Super User in Training program has been invaluable, with his most recent session with SUIT highlighting an incredible amount of best practices and tips that have helped him achieve his success.   Ahmed's infectious enthusiasm and boundless energy are a key reason why so many Community members appreciate how he brings his personality--and expertise--to every interaction. With all the solutions he provides, his willingness to help the Community learn more about Power Platform, and his sheer joy in life, we are pleased to celebrate Ahmed and all his contributions! You can find him in the Community and on LinkedIn. Congratulations, Ahmed--thank you for being a SUPER user!