Update-MgDevice -AccountEnabled for Non-Windows OS

[GeoffOrlebeck]

In the Azure portal I can disable non-Windows (e.g., iOS) devices. Using Update-MgDevice an error is generated:

Properties other than ExtendedAttribute1..15 can be modified only on windows devices

I am connecting via App Registration, with Device.ReadWrite.All and the app registration's service principal is added to the Cloud Device Administrator role. The two methods I attempted to update the AccountEnabled status, both result in the same error:

# Attempt 1
$DeviceID = '<Guid>'
Update-MgDevice -DeviceID $DeviceID -AccountEnabled:$false

# Attempt 2
$DeviceID = '<Guid>'
$Json = [PSCustomObject]@{accountEnabled = $false } | ConvertTo-Json
Update-MgDevice -DeviceID $DeviceID -BodyParameter $Json

Full error output:

Update-MgDevice : Properties other than ExtendedAttribute1..15 can be modified only on windows devices.
At line:1 char:1

+ Update-MgDevice -DeviceId '<GUID>' -Acc ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: ({ DeviceId = 3f...ftGraphDevice }:<>f__AnonymousType7`2) [Update-MgDe
   vice_UpdateExpanded], RestException`1
    + FullyQualifiedErrorId : Request_BadRequest,Microsoft.Graph.PowerShell.Cmdlets.UpdateMgDevice_UpdateExpanded

When copying the API call from Developer Tools in Edge browser, I can see it is setting AccountEnabled to $false in the Invoke-WebRequest call, so I'm wondering if this is an issue with the Update-MgDevice cmdlet, specifically.

[peombwa]

Thanks for bringing this to our attention.

This does appear to be a known issue with API. Here an excerpt from the API known issue page:

When an app with application permissions attempts to update any properties of the device object where the operationSystem property isn't Windows, apart from the extensionAttributes property, the Update device API returns a 400 Bad request error code with the error message "Properties other than ExtendedAttribute1..15 can be modified only on windows devices.". Use delegated permissions to update the properties of non-Windows devices.

Your only option at the moment is to use delegated permissions (authenticate as a user) to update the property on a non-Windows device. I'd also recommend you open a service feature request at https://developer.microsoft.com/en-us/graph/support if this is a scenario you'd like to see supported.

[peombwa]

Closing as known API issue.

[Mailstorm-ctrl]

Not sure why this was closed. This isn't on the known API issues page. It's also just some arbitrary limitation that exist for no reason at all.

Feedback exist for this at:
https://feedbackportal.microsoft.com/feedback/idea/03f7b967-72f5-ed11-a81c-000d3ae5b6f4

[peombwa]

The known issue has been changed since my comment at #2066 (comment) - Wayback link.

The API limitation is now documented in the API reference doc :

In application-only scenarios and for non-Windows devices, that is, where the operatingSystem property is not Windows, the app can update only the extensionAttributes property.