Intune Service administrator gets "Access Denied" when trying to configure MAM

Applies to: Microsoft Intune


Assume that an administrator isn't in the global Administrators role but is in the Intune Service Administrator role. When they try to configure Intune App Protection (MAM) Conditional Access (CA), an “Access Denied” error occurs.


The Intune Service Administrator must be given explicit "Contributor" role permission to access MAM CA blades. 


To fix this issue, grant the permission under Intune App protection -> Settings -> Exchange Online -> Resource Management -> Users.

User Permission