Access rights needed for tenant access

[kosli]

Hi
If I login with the Global Admin of a tenant, everything works as expected. I would like to use my partner user to access the other tenants. What access right (GDAP? Azure?) do I need to be able to access the other tenants? Some of the tenants at least show up in the list of the app, but I cannot access anything of the functionality (everything red). When I use the "request consent" option and approve it, I still don't have any access. Is there a documentation on the multi tenant access rights?
Thanks!

[Micke-K]

Hello,

Do you know if you the app is approved in the tenant. Also, do you know if the consent requires approval?

Gust tenants should be visible if this is enabled in settings. However, this queries an API that might need consent as well.

I've seen environments where tenant admins must approve consent requests and app registrations. I've also seen where the API to get available tenants is blocked by proxy. However, if you see other tenants in the list, then that API is working.

If you are Global Admin in the other tenant you should be able to see the consent request and approve them documented here:

https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/review-admin-consent-requests

Let me know how it goes.

Cheers!

[kosli]

Hi @Micke-K
Thanks for your help.
I have checked on my main/partner tenant for the Microsoft Intune PowerShell Enterprise application and all permissions are granted for my global admin user.
In https://intune.microsoft.com/ I can access and manage the two tenants listed in IntuneManagement. But in IM itself, if I select one of the two tenants, the whole list of options in Intune Manager turns red. When i then click on the Request consent option, shortly a "login window" seems to appear, but disappear immediately and the Intune Manager options seems to get "activated" (no more red). But if i click any of the options, I still don't get any data for that tenant.
I have "Enable the admin consent workflow" in the other tenant (as global admin) but I don't see any Admin consent requests. Nor do I see there the Microsoft Intune PowerShell Enterprise application.

hmmm, weird. until now i had used the "start.cmd" to start the tool (no errors showing in the console), whereas now i tried with Start-IntuneManagement.ps1. It generates quite a lot red error messages. And after successfully logging in, it doesn't show the other two tenants?!

See below the errors. I will see if I missed something on the powershell modules etc.

Details

Add-Type: (3,41): error CS0246: The type or namespace name 'INotifyPropertyChanged' could not be found (are you missing a using directive or an assembly reference?)
public class ADMXRegPolicyElement : INotifyPropertyChanged ^

Add-Type: (44,22): error CS0246: The type or namespace name 'PropertyChangedEventHandler' could not be found (are you missing a using directive or an assembly
reference?) public event PropertyChangedEventHandler PropertyChanged; ^

Add-Type: (63,47): error CS0234: The type or namespace name 'ObservableCollection<>' does not exist in the namespace 'System.Collections.ObjectModel' (are you missing an
assembly reference?) public System.Collections.ObjectModel.ObservableCollection PolicyElements {get; set;}
^

Add-Type: (79,47): error CS0234: The type or namespace name 'ObservableCollection<>' does not exist in the namespace 'System.Collections.ObjectModel' (are you missing an
assembly reference?) public System.Collections.ObjectModel.ObservableCollection ADMXPolicies {get; set;}
^

Add-Type: (84,63): error CS0234: The type or namespace name 'ObservableCollection<>' does not exist in the namespace 'System.Collections.ObjectModel' (are you missing an
assembly reference?) ADMXPolicies = new System.Collections.ObjectModel.ObservableCollection();
^

Add-Type: (67,65): error CS0234: The type or namespace name 'ObservableCollection<>' does not exist in the namespace 'System.Collections.ObjectModel' (are you missing an
assembly reference?) PolicyElements = new System.Collections.ObjectModel.ObservableCollection();
^

Add-Type: (51,76): error CS0246: The type or namespace name 'PropertyChangedEventArgs' could not be found (are you missing a using directive or an assembly reference?)
if(PropertyChanged != null) { PropertyChanged.Invoke(this, new PropertyChangedEventArgs(propertyName)); }
^

Add-Type: Cannot add type. Compilation errors occurred.

Add-Type: C:\Users\xxx\Source\IntuneManagement\CS\TokenCacheHelperEx.cs(14,9): error CS0012: The type 'MulticastDelegate' is defined in an assembly that is notreferenced. You must add a reference to assembly 'mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'.
tokenCache.SetBeforeAccess(BeforeAccessNotification); ^

Add-Type: C:\Users\xxx\Source\IntuneManagement\CS\TokenCacheHelperEx.cs(15,9): error CS0012: The type 'MulticastDelegate' is defined in an assembly that is notreferenced. You must add a reference to assembly 'mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'.
tokenCache.SetAfterAccess(AfterAccessNotification); ^

Add-Type: C:\Users\xxx\Source\IntuneManagement\CS\TokenCacheHelperEx.cs(33,23): error CS0103: The name 'ProtectedData' does not exist in the current context

? ProtectedData.Unprotect(File.ReadAllBytes(CacheFilePath), ^

Add-Type: C:\Users\xxx\Source\IntuneManagement\CS\TokenCacheHelperEx.cs(35,21): error CS0103: The name 'DataProtectionScope' does not exist in the current context
DataProtectionScope.CurrentUser) ^

Add-Type: C:\Users\xxx\Source\IntuneManagement\CS\TokenCacheHelperEx.cs(50,37): error CS0103: The name 'ProtectedData' does not exist in the current context

ProtectedData.Protect(args.TokenCache.SerializeMsalV3(), ^

Add-Type: C:\Users\xxx\Source\IntuneManagement\CS\TokenCacheHelperEx.cs(52,61): error CS0103: The name 'DataProtectionScope' does not exist in the current context
DataProtectionScope.CurrentUser)

[kosli]

Update: I had previously started it from VScode terminal. When I open a powershell and run there the start-withconsole.cmd I don't get any error messages on startup, but now at least I see an error when trying to access the other tenant. But the request consent doens't seem to work as expected. (I had tried with the default permissions enabled and disabled too). See below. I will see if I can add the graph permissions manually.

Details

C:\Users\xxx\Source\IntuneManagement>cmd /c powershell -version 5 -ex bypass -file "C:\Users\xxx\Source\IntuneManagement\Start-IntuneManagement.ps1" -ShowConsoleWindow
Use settings in registry
#####################################################################################
Application started
#####################################################################################
PowerShell version: 5.1.19041.4046
PowerShell build: 10.0.19041.4046
PowerShell CLR: 4.0.30319.42000
PowerShell edition: Desktop
OS: Windows 10 Pro N 10.0.19045.4046
Module Compare loaded successfully
Module Copy loaded successfully
Module Documentation loaded successfully
Module DocumentationCustom loaded successfully
Module DocumentationHTML loaded successfully
Module DocumentationMD loaded successfully
Module DocumentationWord loaded successfully
Module EndpointManager loaded successfully
Module EndpointManagerInfo loaded successfully
Module IntuneAppManagement loaded successfully
Module IntuneAssignments loaded successfully
Module IntuneFilterUsage loaded successfully
Module IntuneTools loaded successfully
Module MSALAuthentication loaded successfully
Module MSGraph loaded successfully
Trigger function Invoke-InitializeModule
Trigger Invoke-InitializeModule in Compare
Trigger Invoke-InitializeModule in Copy
Trigger Invoke-InitializeModule in Documentation
Trigger Invoke-InitializeModule in DocumentationCustom
Trigger Invoke-InitializeModule in DocumentationHTML
Trigger Invoke-InitializeModule in DocumentationMD
Trigger Invoke-InitializeModule in DocumentationWord
Trigger Invoke-InitializeModule in EndpointManager
Trigger Invoke-InitializeModule in EndpointManagerInfo
Trigger Invoke-InitializeModule in IntuneAssignments
Trigger Invoke-InitializeModule in IntuneFilterUsage
Trigger Invoke-InitializeModule in IntuneTools
Trigger Invoke-InitializeModule in MSALAuthentication
Using MSAL file C:\Users\xxx\Source\IntuneManagement\Microsoft.Identity.Client.dll. Version: 4.42.1.0
Trigger Invoke-InitializeModule in MSGraph
Add settings and menu items
Change view to Intune Manager
Add MSAL App d1ddf0e4-d672-4dae-b554-9d5bdfd93547 https://login.microsoftonline.com/organizations/
Use Graph environment: graph.microsoft.com
[email protected] authenticated successfully (Silent). CorrelationId:
Get tenant list
Get current user
Get profile picture
Get organization info
Trigger function Invoke-GraphAuthenticationUpdated
Trigger Invoke-GraphAuthenticationUpdated in EndpointManager
Trigger Invoke-GraphAuthenticationUpdated in MSGraph
Clear cached values
Activating View Intune Manager
Trigger function Invoke-ViewActivated
Trigger Invoke-ViewActivated in Compare
Trigger Invoke-ViewActivated in Copy
Trigger Invoke-ViewActivated in Documentation
Running latest version: 3.9.5
Trigger function Invoke-ShowMainWindow
Trigger Invoke-ShowMainWindow in Compare
Trigger Invoke-ShowMainWindow in Documentation
Logging in to xxx
[email protected] authenticated successfully (Silent). CorrelationId: ac5cf128-fa79-41a8-bfbc-2236fdfb2adb
Get current user
Failed to invoke MS Graph with URL https://graph.microsoft.com/beta/ME (Request ID: 3138af42-6ca1-455d-bd96-bf12263264af). Status code: Forbidden. Response message: Insufficient privileges to complete the operation. Exception: The remote server returned an error: (403) Forbidden.
Get organization info
Failed to invoke MS Graph with URL https://graph.microsoft.com/beta/Organization (Request ID: 4f4e0438-95f9-4c53-a74b-4d38b1117ea6). Status code: Forbidden. Response message: Insufficient privileges to complete the operation. Exception: The remote server returned an error: (403) Forbidden.
WARNING: Missing scopes:
User.ReadWrite.All,Group.ReadWrite.All,DeviceManagementConfiguration.ReadWrite.All,Policy.Read.All,Policy.ReadWrite.Con
ditionalAccess,Application.Read.All,Agreement.ReadWrite.All,DeviceManagementApps.ReadWrite.All,Organization.ReadWrite.A
ll,DeviceManagementServiceConfig.ReadWrite.All,DeviceManagementManagedDevices.ReadWrite.All,DeviceManagementRBAC.ReadWr
ite.All,CloudPC.ReadWrite.All
Trigger function Invoke-GraphAuthenticationUpdated
Trigger Invoke-GraphAuthenticationUpdated in EndpointManager
Trigger Invoke-GraphAuthenticationUpdated in MSGraph
Clear cached values
Initiate consent prompt
Consent prompt for the following scopes: User.ReadWrite.All,Group.ReadWrite.All,DeviceManagementConfiguration.ReadWrite.All,Policy.Read.All,Policy.ReadWrite.ConditionalAccess,Application.Read.All,Agreement.ReadWrite.All,DeviceManagementApps.ReadWrite.All,Organization.ReadWrite.All,DeviceManagementServiceConfig.ReadWrite.All,DeviceManagementManagedDevices.ReadWrite.All,DeviceManagementRBAC.ReadWrite.All,CloudPC.ReadWrite.All
Consent for additional scopes added successfully
Refreshing the token
Use Graph environment: graph.microsoft.com
[email protected] authenticated successfully (Silent). CorrelationId: 867dfc96-007a-4897-8cfb-501b85ba7ed7
WARNING: Missing scopes:
User.ReadWrite.All,Group.ReadWrite.All,DeviceManagementConfiguration.ReadWrite.All,Policy.Read.All,Policy.ReadWrite.Con
ditionalAccess,Application.Read.All,Agreement.ReadWrite.All,DeviceManagementApps.ReadWrite.All,Organization.ReadWrite.A
ll,DeviceManagementServiceConfig.ReadWrite.All,DeviceManagementManagedDevices.ReadWrite.All,DeviceManagementRBAC.ReadWr
ite.All,CloudPC.ReadWrite.All

[Micke-K]

Hello

You VS code probably defaults to PowerShell 7 where all the Add-Type commands fails.

I don't expect it to work if you can't see the Intune PowerShell Application. Not sure if I've approved the app in another tenant through the tool. Sounds like something isn't working properly.

You could try change the app to Graph Module.

Let me know if you find anything.

Cheers!

[kosli]

VScode: will look into it. Thanks.

I have switch to the Graph Module. But it didn't get installed in the guest tenant -> so I logged in once with the global admin of the guest tenant and the app got installed. Afterwards I was able to access everything from my main tenant.

But the same doesn't work with the Intune PowerShell App -> even after logging in with the global admin of the guest tenant and having the app installed (i checked it in the azure enterprise applications) I cannot use it from my main tenant.