Azure Automation w/ Managed Identity - Update-MgDevice for non-Windows devices errors

[jaredn13]

I searched the graph known issues page with no results. There is one issue report here that is closed saying that this is a known issue and links back to the known issues page, but there is nothing there describing this issue.

PS Runtime 5.1
Graph Modules 2.6.1
Automation system managed identity with Device.ReadWrite.All and Directory.ReadWrite.All permissions

Windows devices can be disabled. Non-Windows devices give the following error.

Update-MgDevice : Properties other than ExtendedAttribute1..15 can be modified only on windows devices. Status: 400 (BadRequest)

[peombwa]

Thanks for following up on this.

This is a duplicate of #2066. The API does not support changing disabling of non-Windows OS. This is now documented at https://learn.microsoft.com/en-us/graph/api/device-update?view=graph-rest-1.0&tabs=http :

In application-only scenarios and for non-Windows devices, that is, where the operatingSystem property is not Windows, the app can update only the extensionAttributes property.

Closing as duplicate of #2066.

[jaredn13]

Where else can I present my case? I posted on the feedback portal, is there a dev portal besides github?
This effectively breaks Azure Automation of stale devices based on Microsoft best practices.

Microsoft recommends disabling a device for a grace period before deletion, which is what my script/automation is doing: https://learn.microsoft.com/en-us/azure/active-directory/devices/manage-stale-devices

Disable devices
It isn't advisable to immediately delete a device that appears to be stale because you can't undo a deletion if there's a false positive. As a best practice, disable a device for a grace period before deleting it. In your policy, define a timeframe to disable a device before deleting it.

Now the documentation for "Update-MgDevice" which is required to disable a device states we cannot update non-windows devices using an application (Managed Identity): https://learn.microsoft.com/en-us/graph/api/device-update?view=graph-rest-1.0&tabs=http

In application-only scenarios and for non-Windows devices, that is, where the operatingSystem property is not Windows, the app can update only the extensionAttributes property.

However in Azure Automation we are required to use a Managed Identity since Run-As accounts are going away: https://learn.microsoft.com/en-us/azure/automation/manage-run-as-account

Azure Automation Run As Account will retire on September 30, 2023 and will be replaced with Managed Identities. Before that date, you'll need to start migrating your runbooks to use managed identities. For more information, see migrating from an existing Run As accounts to managed identity to start migrating the runbooks from Run As account to managed identities before 30 September 2023.

[peombwa]

The API feature request page (feedback portal) is where all API feature request like this one should go - https://developer.microsoft.com/graph/support. Please upvote on existing requests to surface them to the API teams.