Intune MDM Authority: You haven’t enabled device management yet.
Seen this message before?
Anyone who has worked with in the Microsoft Endpoint Manager admin center has likely seen this notification pop up at some stage. If you configured custom roles and permissions, your chances are even higher.
Issue 1 — Permissions
The root cause is likely related to admin permissions — specifically that the account you signed-in to the portal with is missing a very crucial permission: Organization \ Read
How to fix?
The fix is to ensure that all of the admins that use the Microsoft Endpoint Manager admin center have the “organization / read” permission assigned to them — It's a default permission in the built-in roles but would be easy to miss if you were creating your own custom ones.
Issue 2 — Unlicensed admin
To use the MEM Admin center, admins either need to either have an Intune license assigned to their account or have the “Unlicensed admins” feature enabled in the tenant. If this isn't done, the same MDM authority message can pop-up.
How to fix?
- Assign an Intune license for the admin, or
- Turn on the “Unlicensed admins” feature. Note — All Intune accounts created before mid 2020 will have this enabled by default. After you do it, any admin who is in the “Admin group” for a role assignment will be allowed to use the portal without this message annoying them.
Why the funky “MDM Authority” message then?
The notification message about MDM authority’s is really not very intuitive for the cases I described above — The term MDM Authority is mostly a hang-over from when Intune admins were required to make a choice of “MDM authority” when provisioning a new account. The portal UX was designed in a way that requires read of this setting to customize the experience. Those who worked with Intune longer than a couple years would remember when you actually had an MDM authority choice:
- Intune standalone (admin use the MEM console), or
- SCCM (admin uses the SCCM console)
Nowadays, for new accounts you really don't need to worry about this MDM authority nonsense. The MDM authority is automatically set to Intune standalone during account provisioning as the SCCM option has gone away in favor of a better co-management approach.
One additional note for completeness —
There is a legitimate happy path to see this message — Although it is rare because in my experience — There is a case where the MDM authority could currently be set to “Office 365” and requires upgrading to Intune Standalone. This happens if you started with adding Office 365 licensing only (no Intune, EMS or M365) to your account and specifically enabled “Basic Mobility and Security” in Office 365. “Basic Mobility and security” is not really Intune, but uses some common infrastructure. If you later went and bought Intune licenses and went to the MEM admin center you may need to switch using this UX.
Thanks for reading — This was a quick post, but I wanted to share in case folks stumble on this and need a quick answer. In the meantime, I’ll talk to some folks about making this silly little message disappear from the console when it doesn't apply!
- Scott
12/17/21 — Updated to add the unlicensed admin reason.
