With my adventures implementing Intune, I’ve found all sorts of interesting errors that can be unhelpful, especially when they involve a user or administrator licensing issue. In my latest error, I was left with a very puzzling error while trying to connect the Intune Certificate Connector to Azure with an administrator account “Something went wrong”.
As part of troubleshooting, we checked that we had a global administrator account, though an Intune Administrator would do. We scoured the sign-in logs, thinking it was a conditional access issue, but the authentication was OK. It wasn’t until I found some forum chatter that pointed us in the right direction.
The Entra ID account wasn’t licensed for Intune, so setting up the certificate connector was failing with a rather ambiguous error. Hopefully, this blog post gets picked up by the search engines, and I can help you save some time if you get this confusing error.
— More Content —
After tweeting the above, one of my followers, NaS IT, @zaab_it, mentioned the tenant-wide setting for unlicensed administrators might be something to consider. I usually don’t have to play with this setting because most administrator accounts get the Intune license through an E3 or E5 bundle. But this doesn’t have to be the case, and when we consult the Microsoft documentation, the default of allowing unlicensed administrators has been there for years.
Unlicensed admins in Microsoft Intune – Microsoft Intune | Microsoft Learn
One reason for allowing unlicensed administrators is to save money, especially if you have many support technicians using Intune. Considerations should be made around Entra ID licensing, as protecting these accounts is recommended as they hold privileges in the Intune console. Also, keep in mind that there is a limit of 350 unlicensed administrators per security group.
But why is it turned off? It depends on when Intune was first enabled for your organization. Should you turn it on? Well, it might lessen the confusion when making global configuration changes with Intune.
Even though this is a global setting, I consider it a very low-risk change, though you cannot back out of it once it has been made. If you want to check or change the configuration here is a quick guide to walk you through it.
To check the current status of your tenant configuration, go to https://intune.microsoft.com and select Tenant Administration.
Select Administrator Licensing.
If unlicensed administrators are allowed, you will see the following confirmation message.
If you see the button Allow access to unlicensed admins, then unlicensed administrators are not enabled. Click the button to configure it.
Click Yes to confirm the change.
The success message is a bit deceiving; this change can take up to 48 hours to complete, so plan ahead.