@atfernando can you post a link to the doc you are referring to?

Hi @TravisCragg-MSFT,

Here it is;

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership

@atfernando Have you tried using the Azure AD Preview Module 2.0.1.18 which contains SystemLabels property.

@SaurabhSharma-MSFT ,

Yes, error above is from the preview module. It keeps giving error "Invalid value specified for property 'systemLabels' of resource 'Device'." regardless of input data.

@atfernando Thanks for the feedback ! I have assigned this issue to content author to investigate and update the document as appropriate.
@curtand can you please help on this issue.

Sorry @atfernando I was working my job and that of another guy who was out for a while, and so I had to slow down on GitHub issues. I'm free as of 2/1 and will get you an answer.

@curtand ,

Thanks for the update. Looking forward to hearing for an answer.

@curtand @atfernando I'm also looking for an answer to this question. Exact same error.

Hello,
Confirming error in my 2x tenants for System Labels & agree that this document should be updated.

Still an huge issue.
Trying to automate adding systemLabels to devices via API at large scale, and this is a show stopper.

Uri:
https://graph.microsoft.com/v1.0/devices/id
https://graph.microsoft.com/beta/devices/id

Request Body:

{systemLabels: ["labelname"]}

Response:

{
    "error": {
        "code": "Request_BadRequest",
        "message": "Invalid value specified for property 'systemLabels' of resource 'Device'.",
        "innerError": {
            "request-id": "*******************************",
            "date": "2019-04-17T09:15:18"
        },
        "details": [
            {
                "target": "systemLabels",
                "code": "InvalidValue"
            }
        ]
    }
}

Hi,
I don't think this property can be set by customers. MS does not allow it, it is read only or protected by permissions. But I had all permissions I could get. I used the value "M365Managed" from the example here: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership and got more details....

systemLabels | any string matching the Intune device property for tagging Modern Workplace devices | (device.systemLabels -contains "M365Managed")

$label = New-Object "System.Collections.Generic.List``1[System.String]"
$label.Add("M365Managed")
Get-AzureADDevice -ObjectId 336df2bb-ad89-49dc-.... | Set-AzureADDevice -SystemLabels $label

Set-AzureADDevice : Error occurred while executing SetDevice
Code: Request_BadRequest
Message: Property 'systemLabels' is read-only and cannot be set.
RequestId: ee9f27aa-608c-4ce1-8dd9-c927328f37d3
DateTimeStamp: Wed, 17 Apr 2019 11:50:15 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At line:1 char:68

• ... -ad89-49dc-a2bc-7b79c743affe | Set-AzureADDevice -SystemLabels $label
• ~~~~~~~~~~
  
  
  
  • CategoryInfo : NotSpecified: (:) [Set-AzureADDevice], ApiException
  
  
  • FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.SetDevi
    
    ce
  
  

If I try it with graph I get this:

https://graph.microsoft.com/beta/devices/336df2bb-ad89-49dc....
{systemLabels: ["M365Managed"]}

{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "76758095-4eba-4bde-8a1b-3bc9dd56892e",
"date": "2019-04-17T11:46:08"
}
}
}

So again it seem to be a property used by MS for M365 Managed Desktop maybe.

@okieselbach

Yes, I had the same result with Graph API when I changed the value of systemLabel to an integer.

Any reason we cannot add system labels? Any plans to change this?

Hello,

Any news about the posibility to set this property? I need to find a way to create a dynamic group in Azure AD with custom attribute.

Hi @tjgruber
@atfernando
@okieselbach
Our groups PM ensured that the systemLabels attribute was supported for evaluation by a dynamic group membership rule. The systemLabels values themselves are created only by Intune admins to the best of my knowledge.

I believe @Shantaram Punukollu might know more about the values.

How do Intune admins create these systemlabels? I haven’t found a way yet.

Hi @SaurabhSharma-MSFT
I can't update Intune documentation about how to set system labels. Dynamic group articles are correct.

please-close

@curtand @SaurabhSharma-MSFT Will you assign someone to update the Dynamic group article on how to add these systemlabels or create a new page for this? Many thanks!

Hi @all,
I don't think that systemLabels can be added as the message from Microsoft is very clear here. Look at my first attempt, the exception (error message) clearly states:

Message: Property 'systemLabels' is read-only and cannot be set.

It is something they probably use for their Managed Desktop offering but not intended for usage by all of us. That's what the message tells us.

@okieselbach Maybe, maybe not. The error message may say "Property 'systemLabels' is read-only and cannot be set." but the documentation to date (20/08) still says:

systemLabels | any string matching the Intune device property for tagging Modern Workplace devices | (device.systemLabels -contains "M365Managed")
-- | -- | --

It would be nice to have some clarification about this from Microsoft.

In my situation (Education) it would be a nice addition to the dynamic groups in combination with autopilot. I could "group" shared devices in our different labs / classes.
Maybe even add this to the getautopilotinfo.ps1 like Group Tag (OrderID). Or just gather ID's and push the systemLabel using powershell.

I guess many others would have uses for this property.

@dc911x totally agree and you're right in the end it is just an error message. Personally my gut feeling tells me it is read-only and not intended for public usage, but anyway clarification from MS would be nice! 👍

@okieselbach Maybe, maybe not. The error message may say "Property 'systemLabels' is read-only and cannot be set." but the documentation to date (20/08) still says:

systemLabels
any string matching the Intune device property for tagging Modern Workplace devices
(device.systemLabels -contains "M365Managed")

It would be nice to have some clarification about this from Microsoft.
In my situation (Education) it would be a nice addition to the dynamic groups in combination with autopilot. I could "group" shared devices in our different labs / classes.
Maybe even add this to the getautopilotinfo.ps1 like Group Tag (OrderID). Or just gather ID's and push the systemLabel using powershell.
I guess many others would have uses for this property.

I'm in the exact same situation. Even corpIDs would work, but they cant be queried via dynamic groups. So far dynamic groups haven't been useful.

I know that this issue is closed, but I'm looking at this and trying to understand what the list of possible SystemLabels should/could be. The only one I see is the example in the dynamic groups doc. What are the other values? Also, I have AAD and Hybrid AD joined devices and they don't have any values in SystemLabel. What am I missing here?