Why I Couldn’t Assign User to Autopilot Device

In scenarios where you couldn’t assign user to Autopilot device, administrators using Microsoft Intune may face challenges. If they’ve created a custom RBAC (Role-Based Access Control) role to manage Autopilot devices and profiles, they often encounter the situation where they couldn’t assign user to the Autopilot devices. This manifests as an error message: “<userName> is not licensed to use Intune” Even with a role seemingly designed for Autopilot devices, the permissions granted may be insufficient to assign user to Autopilot devices.

In this article, we will walk through the troubleshooting process for this issue and explain why it occurs, as well as how to resolve it

Issue: Couldn’t Assign User to Autopilot Device using custom RBAC Autopilot permission

Resolving the issue of couldn’t assign user to Autopilot device requires understanding the permissions involved.

You have created a custom RBAC (Role-Based Access Control) role to manage Autopilot devices in Microsoft Intune and assigned it to an Admins group.

You have the following permissions assigned for the role

The admin then logs into Microsoft Endpoint Manager portal and attempts to assign a user to an Autopilot device.

Although the option to assign a user is available, when the admin select the user, they receive the following error messages “Assignment failed: “User name” is not licensed to use Intune“

The error reinforces the fact that you couldn’t assign user to Autopilot device due to licensing issues.

Troubleshooting Steps:

Step1: Check the user license

The error says ““User name” is not licensed to use Intune“, which is the user the admin is trying to add

checking the user license, I can see the user has the correct Intune license added to his account.

Step 2: Enable Developer Tools to Collect Browser Trace

To collect logs, open the browser’s Developer Tools to collect network traces. This step helps identify where the process fails during the request to add user to the autopilot device.

Step 3: Reproduce the Issue

log in as an admin with the custom RBAC role and try to add user to an autopilot device. Verify the exact error message encountered. Once the issue has been reproduced extract the browser logs in a HAR file

You can follow this guide to capture browser trace logs for all browsers types
Capture Browser Trace

Step 4: Review the Logs

After reviewing the browser trace logs, you might find entries like the following:

Ultimately, ensuring the right permissions will prevent scenarios where you couldn’t assign user to Autopilot device.

User is not authorized to perform this action

It will also show a 403 Forbidden

This indicates that the system is explicitly denying access the admin to perform the action. The next step is to examine the specific permissions missing to complete the action required.

By addressing the permissions, you can overcome the couldn’t assign user to Autopilot device hurdle.

In summary, understanding the reasons why you couldn’t assign user to Autopilot device will enhance your administrative effectiveness.

Solution: Required Permissions for assigning user to autopilot device

This issue occurs when the custom RBAC role assigned to the admin is missing the required permissions to Managed Apps. Specifically, the Read permission for Managed Apps is missing from the RBAC role. This permission is crucial because it allows the admin to assign users to devices under Autopilot.

To resolve the issue, follow these steps to ensure that the custom RBAC role includes the required Read permission for Managed Apps:

1. Log in to the Microsoft Endpoint Manager admin center:
   • Navigate to the Microsoft Endpoint Manager admin center.
2. Go to Roles and Administrators:
   • In the left-hand navigation pane, go to Tenant Administration.
   • Under Roles, select All roles.
3. Edit the Custom RBAC Role:
   • Find the custom RBAC role that you have assigned to the admin (this will typically be a role that has been tailored for device management or user management).
   • Click on the role to open the settings.
   • Select Properties, then edit Permissions to edit the permissions assigned to the role.
4. Add the ‘Read’ Permission for Managed Apps:
   • Under Permissions, locate Managed Apps.
   • Ensure that the Read permission for Managed apps is enabled. If it’s missing, you will need to add it.
5. Save the Changes:
   • After adding the Read permission for Managed Apps, click Review +Save to apply the changes to the custom role.
6. Test the Assignment Again:
   • After applying the change, has the admin attempt to assign the user to the Autopilot device again.
   • The error messages should no longer appear, and they should be able to successfully assign the user.

Conclusion:

This issue is typically caused by missing permissions in a custom RBAC role. By adding the Read permission for Managed Apps to the role, the admins will be able to assign users to Autopilot devices without encountering the error messages. Always ensure that the necessary permissions are included in custom roles to avoid access issues.

Interested to read more articles from IntuneBytes, this is the link for all posts