SOLVED

Intune 403 error - When accessing InTune Portal

%3CLINGO-SUB%20id%3D%22lingo-sub-2311658%22%20slang%3D%22en-US%22%3EIntune%20403%20error%20-%20When%20accessing%20InTune%20Portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2311658%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Intune%20Community%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20two%20users%20who%20I%20have%20given%20them%20the%3CEM%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FEM%3E%3CSPAN%3E%3CEM%3E%3CSTRONG%3EApplication%20Manager%3C%2FSTRONG%3E%3C%2FEM%3E%20role%20with%20full%20access%2C%20under%20Tenant%20Admin%20--%26gt%3B%20MEM%20roles%20but%20they%20are%20receiving%20following%20access%20error%20when%20they%20try%20to%20reach%20Intune%2FEndpoint%20Manager%3A%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22403%20Error%20-%20Intune.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F277106i698AD58B3FFB4B6D%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22403%20Error%20-%20Intune.png%22%20alt%3D%22403%20Error%20-%20Intune.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20read%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-intune%2F401-and-403-error-when-logging-into-endpoint-admin-center%2Fm-p%2F1713817%23M5226%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-intune%2F401-and-403-error-when-logging-into-endpoint-admin-center%2Fm-p%2F1713817%23M5226%3C%2FA%3E%26nbsp%3Blink%2C%20which%20does%20not%20apply%20to%20our%20environment.%20As%20we%20already%20have%20the%20MDM%20set-up%20and%20running.%3CBR%20%2F%3E%3CBR%20%2F%3EAny%20thoughts%2Fhelp%20appreciated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2311658%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EEndpoint%20Manager%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMEM%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2312233%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20403%20error%20-%20When%20accessing%20InTune%20Portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2312233%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20don't%20know%20for%20100%25%20sure%20if%20this%20still%20applies...%20but%20I%20guess%20it's%20worth%20taking%20a%20look%20at%20it%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.enhansoft.com%2Fhow-to-add-the-intune-service-administrator-directory-role-to-a-user-account%2F%23%3A~%3Atext%3DIntune%2520Service%2520Administrator%253A%2520Users%2520with%2CAzure%2520AD%2527s%2520Conditional%2520Access%2520settings%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.enhansoft.com%2Fhow-to-add-the-intune-service-administrator-directory-role-to-a-user-account%2F%23%3A~%3Atext%3DIntune%2520Service%2520Administrator%253A%2520Users%2520with%2CAzure%2520AD%2527s%2520Conditional%2520Access%2520settings%3C%2FA%3E.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2312266%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20403%20error%20-%20When%20accessing%20InTune%20Portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2312266%22%20slang%3D%22en-US%22%3EThanks%20for%20your%20reply%2C%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20dont%20want%20to%20give%20admin%20role%2C%20as%20it%20has%20full%20privileges.%20They%20shouldn't%20be%20given%20tat%20role.%3CBR%20%2F%3E%3CBR%20%2F%3EThey%20just%20need%20to%20manage%20the%20apps(upload%2C%20change%20properties%20%2Cassignments%2Cetc.)%20so%20that%20is%20why%20I%20gave%20them%20MEM%20roles.%3C%2FLINGO-BODY%3E
Contributor

Hi Intune Community,

 

I have two users who I have given them the Application Manager role with full access, under Tenant Admin --> MEM roles but they are receiving following access error when they try to reach Intune/Endpoint Manager: 403 Error - Intune.png

 

 

I read https://techcommunity.microsoft.com/t5/microsoft-intune/401-and-403-error-when-logging-into-endpoint... link, which does not apply to our environment. As we already have the MDM set-up and running.

Any thoughts/help appreciated.

7 Replies
Hi,

I don't know for 100% sure if this still applies... but I guess it's worth taking a look at it:

https://www.enhansoft.com/how-to-add-the-intune-service-administrator-directory-role-to-a-user-accou....
Thanks for your reply,

We dont want to give admin role, as it has full privileges. They shouldn't be given tat role.

They just need to manage the apps(upload, change properties ,assignments,etc.) so that is why I gave them MEM roles.

Hi...

Ahhh okay. Pretty good point. Do you have configured scoping or only added the user/group to the buildin role

 

Does the user have access to other parts like device configuration profiles? Just tested it my self.. I made a copy of the application manager role and assigned it the the Intune_app_group (my tset ser is a member) and included all devices and users...  it took about 5/10 minutes before i could access the application page (the first time I logged in ... i had the same error) 

 

Rudy_Ooms_0-1619851911901.png

 

I wish Microsoft had better documentation for its platforms and Services.

Yes, that is exactly what I did.

I created a group and add those members there; then assign that group to my custom Role- exactly what you shared. But same error
I think I figure out what is going on:

I checked the definition between Members & Scope for my role(application manager) :

Members: All users in the listed Azure security groups have permission to manage the users/devices that are listed in Scope (Groups).
Scope (Groups): All users/devices in these Azure security groups can be managed by the users in Members.

So, for Members it should be the group I wanna give the power/privileges to

but for Scope: it should be all devices, all users [ not limited to the assigned group - this is where I was doing wrong ]

Now, the users can access to Endpoint Manager
best response confirmed by Ali Fadavinia (Contributor)
Solution
Hi.

the microsoft documentation is a little bit hard to read. But yes indeed... just like the screenshot I posted.. All devices/All users otherwise it is not going to work
Good R&D virtually, high give! ;)