Not able to manage UP via AD Portal

Occasional Contributor



After receiving the required code etc to activate the UPP PP in my customers environment I was able to allocate the required PP licenses as directed in the documentation.


Downloaded the UPP gateway application and went through the process of registering the UPP gateway to Azure with no issues reported.


However, I am not able to access and managed the UPP gateway via the UPP extension in Azure. I am getting the attached error.


Also, not able to add printers to the gateway as this is generating a "Fobidden" error when attempting to add printers to the on premise gateway.


The same AAD account is being used in both environments.

12 Replies

@torquetechit_tonyd Did you assign a UP license to your admin account? Even though you're an administrator you still need to be licensed to access Universal Print in the Azure Portal.



Yes I certainly have. I have also ensure the admin (although it is global admin) is a member of the device and Print management roles.


@torquetechit_tonyd Ok, that's a great start! Seems like you've set up your roles and licenses correctly.


Unfortunately this doesn't seem like a common issue, so it will need to be investigated.


Do you have a support plan? If not, let me know and I'll ask an engineer to look into it. If you do have a support plan, can you please create a support request to help us track and quickly resolve it? You can make a request through:


@torquetechit_tonyd We are getting the same error, did you manage to find a fix for this?

@torquetechit_tonyd If you are assigning the UP licenses in the AAD portal you will need to set the User location for the user first, otherwise the license will not be assigned properly and you will get the Access Denied error when trying to access the Universal Print portal. This setting is displayed for you to set if you assign the UP license via the M365 Admin portal. 





please see the attach screen dump of the original account details..


I have just tested this again with another GA account which also has a M365E3 license assign and it let me add a new connector and printers to the connector.


Does the GA account also need a M365 licenses !?


Now to just test access to the shared printers.





@torquetechit_tonyd Try going to the M365 Admin portal Microsoft 365 admin center - Active users and see if the license is showing there. If it is, try removing it and reapplying it. If it is still failing to connect, open an Azure support case and specify Universal Print and we can assist you further with this. 



@Philip_Demaree, removing and re-adding the license appears to have solved the issue. Thanks


A couple of other items though:


  1.  assigning access to the printer once shared via UPP - currently this only support accounts right, not groups? Would be good to be able to bring this through from the on premise print queue if the related security group is sync'ed out to Azure AD.
  2. Setting the printer properties, i.e. paper size seems to fail when trying to save the settings with an error about not being able to access the service etc..

Other than having to sent the paper size manually on the end point to the correct "A4" the printers work great!


Thanks again this is a big PLUS for remote work forces that need this ability... much better than the hybrid print solution..



@torquetechit_tonyd Awesome! Glad to hear you got things up and running. Thanks @Philip_Demaree for helping out!


  1. As long as the security group you'd like to add is in AzureAD, you can use it to assign permissions to a printer.

  2. Yep, this is a bug :( We're currently working on it!

hi @LeonIvey, seems removing and re-applying the license resolved my issue. 

thanks @Braeden_Petruk_MSFT


I will review the groups permission assignment again as I did not see my on premise security group when I tried this previously.


Also, when reading through the documentation I noticed the mention of "Workplace Join" for endpoint devices. 

Wouldn't it be more pertinent to use, "Hybrid Joined" devices as I understand it, workplace Join is for legacy windows devices (win7 etc). 

@torquetechit_tonyd thanks same (via Office 365 and not Azure)