Office Apps Admin policy permissions from MEM

A quick-fire post here that hopefully should only have time bound validity period due to an impending fix, but there appears to be a ‘feature’ around Office Apps admin that you should be aware of.

If you are trying to manage Office policy from the Microsoft Endpoint Manager Admin center (MEMAC) or sometimes many people still call it just the Intune portal (but it’s more than that), you may be presented with an error around authentication. Despite this, you may still be able to access Office policy admin in the config.office.com portal.

Authentication error. Refresh the page and try again. If this issue persists contact support and provide this id: `<GUID>`.

Or in more recent times there appears to be a slightly more meaningful message appearing

You do not have access to this feature

And here is where the clue comes. In order to manage Office Policy, Microsoft docs say you need to have ONE OF these permissions:

  • Global Administrator
  • Security Administrator
  • Office Apps Admin

Noted here – https://docs.microsoft.com/en-us/deployoffice/admincenter/overview-office-cloud-policy-service#requirements-for-using-the-office-cloud-policy-service

However please note the fine print, I also believe this wording has changed over the course of a few months so you may not have realised this:

The role must be assigned to your user account. Currently, AAD roles assigned to groups are not supported by the Office cloud policy service

I have confirmed this to be the case in a production environment. If a user was assigned the Office Apps Admin role inherited from a group – it didn’t work. Once the role was directly assigned it works.

It looks like there is fix in the workstack for this but for now you have an answer so I hope that helps.

/Peter

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.