A quick-fire post here that hopefully should only have time bound validity period due to an impending fix, but there appears to be a ‘feature’ around Office Apps admin that you should be aware of.
If you are trying to manage Office policy from the Microsoft Endpoint Manager Admin center (MEMAC) or sometimes many people still call it just the Intune portal (but it’s more than that), you may be presented with an error around authentication. Despite this, you may still be able to access Office policy admin in the config.office.com portal.
Authentication error. Refresh the page and try again. If this issue persists contact support and provide this id: `<GUID>`.
Or in more recent times there appears to be a slightly more meaningful message appearing
You do not have access to this feature
And here is where the clue comes. In order to manage Office Policy, Microsoft docs say you need to have ONE OF these permissions:
- Global Administrator
- Security Administrator
- Office Apps Admin
Noted here – https://docs.microsoft.com/en-us/deployoffice/admincenter/overview-office-cloud-policy-service#requirements-for-using-the-office-cloud-policy-service
However please note the fine print, I also believe this wording has changed over the course of a few months so you may not have realised this:
The role must be assigned to your user account. Currently, AAD roles assigned to groups are not supported by the Office cloud policy service
I have confirmed this to be the case in a production environment. If a user was assigned the Office Apps Admin role inherited from a group – it didn’t work. Once the role was directly assigned it works.
It looks like there is fix in the workstack for this but for now you have an answer so I hope that helps.