Forum Discussion
Accessing Intune Admin Portal with GDAP
I have set up a GDAP relationship with a customer and I get an error when I try to access the Intune Admin Portal.
The portal is having issues getting an authentication token. The experience rendered may be degraded.
Additional information from the call to get a token:
Extension: Microsoft_Intune_DeviceSettings
Resource: manageddesktop
Details: The logged in user is not authorized to fetch tokens for extension 'Microsoft_Intune_DeviceSettings' because the user account is not a member of tenant 'GUID'. Error details: AADSTS50020: User account '{EmailHidden}' from identity provider 'https://sts.windows.net/GUID' does not exist in tenant 'CUSTOMER NAME' and cannot access the application '5926fc8e-304e-4f59-8bed-58ca97cc39a4'(Microsoft Intune portal extension) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
I have assigned the required role to the security group.
Am I missing something?
- LicensingConcierge1Microsoft
Hi ArturGawrych
If you've followed the steps here - Grant granular permissions to security groups - Partner Center | Microsoft Learn and are still having issues, the following information may help:
- Support for Intune doesn't include use of GDAP when enrolling servers for Microsoft Tunnel, or for configuring or installing any of the connectors for Intune. Examples of Intune connectors include but aren't limited to the Intune Connector for Active Directory, Mobile threat defense connector, and the Microsoft Defender for Endpoint connector. Workloads supported by granular delegated admin privileges (GDAP) - Partner Center | Microsoft Learn
Role-based access control (RBAC) with Microsoft Intune | Microsoft Learn
- If this information is not helpful, please review the following troubleshooting information - Intune troubleshooting | Microsoft Learn
- If the troubleshooting information is not helpful, click on the applicable "Get help and support" link to the left of the troubleshooting webpage:
Hope this helps.
If this (or someone else's) reply answers your question, please Accept as the solution to help the other members find it more quickly. Otherwise, please let me know if you need further assistance on this topic.
Regards,Microsoft CSP Licensing Concierge
- niekpruntelCopper Contributor
I have the same error and was able to resolve it.
{
"sessionId": "40c71ee0c1544b10ab6058affe2d538c",
"missingClaims": "{\"claims\":\"{\\\"access_token\\\":{\\\"capolids\\\":{\\\"essential\\\":true,\\\"values\\\":[\\\"9deb8598-462b-462a-ac1c-478984b576dd\\\"]}}}\"}",
"resourceName": "manageddesktop",
"errorMessage": "AADSTS90072: User account '{EmailHidden}' from identity provider 'https://sts.windows.net/<tenantid>/' does not exist in tenant '<customer>.' and cannot access the application '5926fc8e-304e-4f59-8bed-58ca97cc39a4'(Microsoft Intune portal extension) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account\r\nTrace ID: <objectid>\r\nCorrelation ID: 6aabee5c-79d5-4341-a0ba-0934dc518bb3\r\nTimestamp: 2023-07-06 09:26:22Z"
}After adding an indirect reseller relationship without DAP I was able to access intujne through GDAP. If you already have a reseller relationship in place, try deleting and readding the indirect partner relationship. Hope this helps.
- JillArmourCommunity Manager
ArturGawrych did any of these responses help you resolve your issue? Can you mark which response was the best so partners after you can find the solution quickly?
Thank you to all that responded and for being part of the community!! 🙂
- cmessina85Copper ContributorI am seeing the same issue for some (not all) tenants and can't figure out a solution. CSP tenant is excluded from all client tenant CA policies and all other admin portals work.