When an Intune Service Administrator tries to select the Exchange Online or SharePoint Online option under "Conditional Access" in the Intune mobile application management (Intune App Protection) tool, they receive an "Access Denied" error message.
This issue occurs because the Intune Service Administrator lacks the Contributor permission to access the Exchange Online and SharePoint Online options.
To resolve this issue, the Global Administrator must grant the Intune Service Administrator Contributor permissions. To do this, follow these steps:
Sign in to https://portal.azure.com, and then go to the Intune App Protection tool.
In the Settings pane under "Conditional Access," click Exchange Online.
Under "Resource management," click Users, and then click Add.
Under "Role," click Contributor, select the user or group that you want to grant the Contributor permission to, and then click Save.
Have the Intune Service Administrator sign in to https://portal.azure.com and confirm that they now have access to the Exchange Online and SharePoint Online options.