IntuneDeviceEnrollmentPlatformRestriction : Error during Import using service Principal

[CovidtheDog2024]

Description of the issue

WorkLoad : Intune
Resource : IntuneDeviceEnrollmentPlatformRestriction
Scenario : Import using Service Principal. With Change in the configuration

• Candidate configuration : AndroidForWorkRestriction personalDeviceEnrollmentBlocked = $True,_
• current configuration on target tenant : AndroidForWorkRestriction personalDeviceEnrollmentBlocked = $False

Error : "Message": "Tenant is not Global Admin or Intune Service Admin. Operation is restricted
Permission: The service account is already part of Global admin and Intune Administrator

Note: No issue using Credential without MFA.

Microsoft Graph has the permission.

Microsoft 365 DSC Version

1.24.1204.1

Which workloads are affected

Intune

The DSC configuration

IntuneDeviceEnrollmentPlatformRestriction "IntuneDeviceEnrollmentPlatformRestriction-All users and all devices"
        {
            AndroidForWorkRestriction         = MSFT_DeviceEnrollmentPlatformRestriction{
                platformBlocked = $False
                personalDeviceEnrollmentBlocked = $True
            };
            AndroidRestriction                = MSFT_DeviceEnrollmentPlatformRestriction{
                platformBlocked = $False
                personalDeviceEnrollmentBlocked = $False
            };
            Assignments                       = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupDisplayName = 'All devices'
                    dataType = '#microsoft.graph.allDevicesAssignmentTarget'
                }
            );
            ApplicationId                       = $ConfigurationData.NonNodeData.ApplicationId;
            CertificateThumbprint               = $ConfigurationData.NonNodeData.CertificateThumbprint;
            TenantId                            = $ConfigurationData.NonNodeData.OrganizationName;
            Description                       = "This is the default Device Type Restriction applied with the lowest priority to all users regardless of group membership.";
            DeviceEnrollmentConfigurationType = "platformRestrictions";
            DisplayName                       = "All users and all devices";
            Ensure                            = "Present";
            Identity                          = "00000000-0000-0000-0000-000000000000_DefaultPlatformRestrictions";
            IosRestriction                    = MSFT_DeviceEnrollmentPlatformRestriction{
                platformBlocked = $False
                personalDeviceEnrollmentBlocked = $False
            };
            MacOSRestriction                  = MSFT_DeviceEnrollmentPlatformRestriction{
                platformBlocked = $False
                personalDeviceEnrollmentBlocked = $False
            };
            MacRestriction                    = MSFT_DeviceEnrollmentPlatformRestriction{
                platformBlocked = $False
                personalDeviceEnrollmentBlocked = $False
            };
            Priority                          = 0;
            WindowsHomeSkuRestriction         = MSFT_DeviceEnrollmentPlatformRestriction{
                platformBlocked = $False
                personalDeviceEnrollmentBlocked = $False
            };
            WindowsRestriction                = MSFT_DeviceEnrollmentPlatformRestriction{
                platformBlocked = $False
                personalDeviceEnrollmentBlocked = $False
            };
        }
    }
}

Verbose logs showing the problem

[BadRequest] : {
  "_version": 3,
  "Message": "An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 00000000-0000-0000-0000-000000000000  - Url: https://fef.msuc02.manage.microso
ft.com/StatelessOnboardingService/deviceManagement/deviceEnrollmentConfigurations('00000000-0000-0000-0000-000000000000 _Windows10EnrollmentCompletionPageConfiguration')?api-version=5023-03-29",
  "CustomApiErrorPhrase": "",
  "RetryAfter": null,
  "ErrorSourceService": "",
  "HttpHeaders": "{}"
}
    + CategoryInfo          : InvalidOperation: ({ DeviceEnrollm...Configuration }:) [], CimException
    + FullyQualifiedErrorId : BadRequest,Microsoft.Graph.Beta.PowerShell.Cmdlets.UpdateMgBetaDeviceManagementDeviceEnrollmentConfiguration_Update
    + PSComputerName        : localhost

Environment Information + PowerShell Version

'OsName',
'OsOperatingSystemSKU',
'OSArchitecture',
'WindowsVersion',
'WindowsBuildLabEx',
'OsLanguage',
'OsMuiLanguages')

$PSVersionTable


OsName               : Microsoft Windows 11 Pro
OsOperatingSystemSKU : 48
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 22621.1.amd64fre.ni_release.220506-1250
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Key   : PSVersion
Value : 5.1.22621.4111
Name  : PSVersion

Key   : PSEdition
Value : Desktop
Name  : PSEdition

Key   : PSCompatibleVersions
Value : {1.0, 2.0, 3.0, 4.0...}
Name  : PSCompatibleVersions

Key   : BuildVersion
Value : 10.0.22621.4111
Name  : BuildVersion

Key   : CLRVersion
Value : 4.0.30319.42000
Name  : CLRVersion

Key   : WSManStackVersion
Value : 3.0
Name  : WSManStackVersion

Key   : PSRemotingProtocolVersion
Value : 2.3
Name  : PSRemotingProtocolVersion

Key   : SerializationVersion
Value : 1.1.0.1
Name  : SerializationVersion

[ricmestre]

See #5127