Forum Discussion

ArturGawrych's avatar
ArturGawrych
Copper Contributor
May 12, 2023

Accessing Intune Admin Portal with GDAP

 

I have set up a GDAP relationship with a customer and I get an error when I try to access the Intune Admin Portal.

 

 

The portal is having issues getting an authentication token. The experience rendered may be degraded.

Additional information from the call to get a token:
Extension: Microsoft_Intune_DeviceSettings
Resource: manageddesktop
Details: The logged in user is not authorized to fetch tokens for extension 'Microsoft_Intune_DeviceSettings' because the user account is not a member of tenant 'GUID'. Error details: AADSTS50020: User account '{EmailHidden}' from identity provider 'https://sts.windows.net/GUID' does not exist in tenant 'CUSTOMER NAME' and cannot access the application '5926fc8e-304e-4f59-8bed-58ca97cc39a4'(Microsoft Intune portal extension) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

 

 

I have assigned the required role to the security group.

 

 

Am I missing something?

 

 

  • Hi ArturGawrych 

     

    If you've followed the steps here - Grant granular permissions to security groups - Partner Center | Microsoft Learn and are still having issues, the following information may help:

     

     

     

    Role-based access control (RBAC) with Microsoft Intune | Microsoft Learn

     

     

     

    • If the troubleshooting information is not helpful, click on the applicable "Get help and support" link to the left of the troubleshooting webpage:

    Hope this helps.

     

    If this (or someone else's) reply answers your question, please Accept as the solution to help the other members find it more quickly. Otherwise, please let me know if you need further assistance on this topic.


    Regards,

    Microsoft CSP Licensing Concierge

  • niekpruntel's avatar
    niekpruntel
    Copper Contributor

    I have the same error and was able to resolve it.

    {
    "sessionId": "40c71ee0c1544b10ab6058affe2d538c",
    "missingClaims": "{\"claims\":\"{\\\"access_token\\\":{\\\"capolids\\\":{\\\"essential\\\":true,\\\"values\\\":[\\\"9deb8598-462b-462a-ac1c-478984b576dd\\\"]}}}\"}",
    "resourceName": "manageddesktop",
    "errorMessage": "AADSTS90072: User account '{EmailHidden}' from identity provider 'https://sts.windows.net/<tenantid>/' does not exist in tenant '<customer>.' and cannot access the application '5926fc8e-304e-4f59-8bed-58ca97cc39a4'(Microsoft Intune portal extension) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account\r\nTrace ID: <objectid>\r\nCorrelation ID: 6aabee5c-79d5-4341-a0ba-0934dc518bb3\r\nTimestamp: 2023-07-06 09:26:22Z"
    }

     

    After adding an indirect reseller relationship without DAP I was able to access intujne through GDAP. If you already have a reseller relationship in place, try deleting and readding the indirect partner relationship. Hope this helps.

    • JillArmour's avatar
      JillArmour
      Icon for Community Manager rankCommunity Manager

      ArturGawrych did any of these responses help you resolve your issue? Can you mark which response was the best  so partners after you can find the solution quickly? 


      Thank you to all that responded and for being part of the community!! 🙂

  • cmessina85's avatar
    cmessina85
    Copper Contributor
    I am seeing the same issue for some (not all) tenants and can't figure out a solution. CSP tenant is excluded from all client tenant CA policies and all other admin portals work.

Resources