Intune Service administrator gets "Access Denied" when trying to configure MAM

Applies to: Microsoft Intune

Symptoms


Assume that an administrator isn't in the global Administrators role but is in the Intune Service Administrator role. When they try to configure Intune App Protection (MAM) Conditional Access (CA), an “Access Denied” error occurs.

Cause


The Intune Service Administrator must be given explicit "Contributor" role permission to access MAM CA blades. 

Resolution


To fix this issue, grant the permission under Intune App protection -> Settings -> Exchange Online -> Resource Management -> Users.

User Permission

Reference