Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rename MgGraph device? I have a tenant with a bunch of devices named "iPhone", want to make them distinct / unique #2450

Open
luckman212 opened this issue Nov 20, 2023 · 3 comments
Open

Rename MgGraph device? I have a tenant with a bunch of devices named "iPhone", want to make them distinct / unique #2450

luckman212 opened this issue Nov 20, 2023 · 3 comments
Labels
type:bug A broken experience

Comments

@luckman212
Copy link

I have many M365 tenants with multiple MgGraph devices named with non-identifying generic names like "iPhone" etc.

I want to make them distinct / unique. There doesn't seem to be any way, either as the admin nor the end user in the https://mysignins.microsoft.com/security-info page, to make these devices more descriptive.

This is not just an inconvenience—it's a legitimate security concern. For example, in the case of a phishing attack or breach, where an attacker is able to register an additional MFA device, how can we tell which is the "real" device and which is the malicious device that should be removed?

I created this small test function Rename-Device to rename a Device using the Graph API Update device method:

function Rename-Device {
  param (
      [Parameter(Mandatory = $false)]
      [string]$Id,
      [Parameter(Mandatory = $false)]
      [string]$deviceId,
      [Parameter(Mandatory = $true)]
      [string]$Name
  )
  if ((-not $deviceId) -and (-not $Id)) {
    Write-Error '-deviceId or -Id is required' -ErrorAction Stop
  }
  if ($Id) {
    $uri = "https://graph.microsoft.com/beta/devices/$Id"
    $body = @{ displayName = $Name } | ConvertTo-Json
  } else {
    $uri = "https://graph.microsoft.com/beta/devices"
    $body = @{
      displayName = $Name
      deviceId = $deviceId
    } | ConvertTo-Json
  }
  $response = Invoke-MgGraphRequest -Method PATCH -Uri $uri -Body $body -ContentType "application/json"
  return $response
}

However, it returns an error Properties other than ExtendedAttribute1..15 can be modified only on windows devices:

PS /Users/luke> Rename-Device -Id be826cc0-d65e-45bd-aed9-4f8de127e3ee -Name 'Test Device 1'
Invoke-MgGraphRequest: /Users/luke/.config/powershell/Microsoft.PowerShell_profile.ps1:160
Line |
 160 |  … $response = Invoke-MgGraphRequest -Method PATCH -Uri $uri -Body $body …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | PATCH https://graph.microsoft.com/beta/devices/be826cc0-d65e-45bd-aed9-4f8de127e3ee HTTP/1.1 400 Bad Request
     | Cache-Control: no-cache Transfer-Encoding: chunked Vary: Accept-Encoding Strict-Transport-Security:
     | max-age=31536000 request-id: 7bd23c2a-7468-480f-9e7f-3cda681525a6 client-request-id:
     | 4b2f2d01-9a9e-436a-9a12-67a4353848a7 x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"East
     | US","Slice":"E","Ring":"5","ScaleUnit":"006","RoleInstance":"BL6PEPF0001D27A"}} x-ms-resource-unit: 1 Date:
     | Mon, 20 Nov 2023 13:05:40 GMT Content-Type: application/json Content-Encoding: gzip
     | {"error":{"code":"Request_BadRequest","message":"Properties other than ExtendedAttribute1..15 can be modified
     | only on windows
     | devices.","innerError":{"date":"2023-11-20T13:05:41","request-id":"7bd23c2a-7468-480f-9e7f-3cda681525a6","client-request-id":"4b2f2d01-9a9e-436a-9a12-67a4353848a7"}}}

Is there any method for assigning a proper name to a non-windows MgDevice please?
@SeniorConsulting
Copy link

Hi luckman212

Are these managed devices, or unmanaged?

Have you been able to rename them using the display name property? Something like:
Update-MgDevice -DeviceId $DeviceId -DisplayName "New Test Name"

If they're managed, you might need to use something like Update-MgDeviceManagementManagedDevice

@SeniorConsulting
Copy link

SeniorConsulting commented Dec 1, 2023
edited
Loading

If I were hazarding a guess as to why your script was failing to run, it's because you're saying that if you're not supplying an ID, then try to set deviceID in the JSON. You won't be allowed to do that, as the deviceID is an immutable identifier.

I think you'd need to re-write this bit to the following, based on this section of the doco https://learn.microsoft.com/en-us/graph/api/device-update?view=graph-rest-1.0&tabs=powershell#http-request:

  } else {
    $uri = "https://graph.microsoft.com/beta/devices(deviceId='{$deviceId}')"
    $body = @{
      displayName = $Name
    } | ConvertTo-Json
  }

To be honest though, I reckon it'd be easier to use the cmdlets

@luckman212
Copy link
Author

@SeniorConsulting Thanks for trying to help. The devices are typically Unmanaged. Using the cmdlet results in the same Properties other than ExtendedAttribute1..15 can be modified only on windows devices error:

PS > Update-MgDevice -DeviceId 35aa73cc-3e08-58bf-989a-992edd14bdd2 -DisplayName "Test"
Update-MgDevice_UpdateExpanded: Properties other than ExtendedAttribute1..15 can be modified only on windows devices.

Status: 400 (BadRequest)
ErrorCode: Request_BadRequest
Date: 2023-12-01T14:01:51

Headers:
Cache-Control                 : no-cache
Transfer-Encoding             : chunked
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : d92f64b0-e3e6-42e7-8949-3e682b4a7aad
client-request-id             : 6c807c4c-bc13-490b-8a18-81fe081f8939
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"East US","Slice":"E","Ring":"5","ScaleUnit":"006","RoleInstance":"BL6PEPF0001B8AA"}}
x-ms-resource-unit            : 1
Date                          : Fri, 01 Dec 2023 14:01:50 GM

I also modified my function using your suggestion, and that fails in a similar way:

PS > Rename-Device -deviceId 35aa73cc-3e08-58bf-989a-992edd14bdd2 -Name "Test2"
Invoke-MgGraphRequest: /Users/luke/.config/powershell/Microsoft.PowerShell_profile.ps1:162
Line |
 162 |  … $response = Invoke-MgGraphRequest -Method PATCH -Uri $uri -Body $body …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | PATCH https://graph.microsoft.com/beta/devices(deviceId='%7B35aa73cc-3e08-58bf-989a-992edd14bdd2%7D') HTTP/1.1 400 Bad Request Cache-Control:
     | no-cache Transfer-Encoding: chunked Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 request-id:
     | 2029123b-99f1-4602-95e8-ddab2280c0e6 client-request-id: d349e2ca-a29e-43c9-8d82-a2faa9436ee6 x-ms-ags-diagnostic:
     | {"ServerInfo":{"DataCenter":"East US","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"BL4PEPF00000293"}} x-ms-resource-unit: 1 Date:
     | Fri, 01 Dec 2023 14:00:12 GMT Content-Type: application/json Content-Encoding: gzip
     | {"error":{"code":"Request_BadRequest","message":"Properties other than ExtendedAttribute1..15 can be modified only on windows
     | devices.","innerError":{"date":"2023-12-01T14:00:13","request-id":"2029123b-99f1-4602-95e8-ddab2280c0e6","client-request-id":"d349e2ca-a29e-43c9-8d82-a2faa9436ee6"}}}

not sure if that %7B and %7D are supposed to be showing up in the PATCH URI?

So I guess we just can't rename these devices? Seems like a pretty annoying (and insecure) oversight.

@petrhollayms petrhollayms added type:bug A broken experience and removed Status: Needs Investigation labels Jun 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:bug A broken experience
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@luckman212 @timayabi2020 @SeniorConsulting @petrhollayms