Windows Autopilot for Hybrid Joined machines – using the Preview of Intune Connector for Active Directory Access Denied

While working with Chris in the office on getting a new Autopilot experience up and running we are trying to get a Hybrid approach to machine builds to move forward with; appreciating there are legacy requirements to maintain an on-prem joined machine but wanting to get the most out of the capability of Azure Intune and Autopilot.

Whilst trying to install and set up the new Intune Connector for Active Directory we ran through the standard documented install; setting the Language settings to a known one to avoid the “error applying transforms’ message that is already documented – https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/intune-connector

Download the connector through the Azure portal and run through the setup

Post-install; fire it up and logging in looks as follows:

JavaScript needs enabling & some domains need adding as trusted sites in Internet Options.

These are some wildcards of addresses that popup when trying to login and are useful to add:

But this still doesn’t let you sign in with the above and with Java enabled. Adding another domain (below) seems to let the logon screen load.

Now the above is set it no longer goes into a loop at the logon screen, instead you’ll likely see ‘access denied’ You are not authorized to view this page.

Even though the admin account used above is a Global Administrator (the reqs for Intune AD Connector set up is either Global Admin or Intune Service Admin) it will not work and the error above continues to appear.

We found the solution by temporarily promoting a ‘normal’ user account to a Global Admin and retrying the sign-in in case there was an MFA or other issue. This worked; and Chris suggested the difference was the license that a normal account had vs an unlicensed ‘admin only’ account.

After rebuilding a test Azure+O365 tenant I have recreated the experience and errors with a Global Admin account and the solution was to assign an Intune license in O365 to the admin account. I haven’t found this documented anywhere as a requirement it definitely resolves the problem; go to the Office 365 portal and grant the admin an Intune license.

Wait a few mins while the license applies and then try again

Success.

Update: We have logged this with Microsoft after finding the fix and they have confirmed that the requirement is for Global Admin and it needs Intune license. Hopefully the documentation will be updated soon.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.

Up ↑

%d bloggers like this: