Administrators using Microsoft Intune can encounter an issue where they assigned the RBAC (Role-Based Access Control) role such as “Help Desk Operator” are unable to raise support tickets from the “Help and Support” page. This issue presents itself as an error message: “An error occurred, you don’t have permission to access Help and Support page. Please contact your administrator to open a support request.” Despite being assigned a role seemingly designed to handle support tasks, the Help Desk Operator role does not grant sufficient permissions to access Intune support resources.
In this article, we will walk through the troubleshooting process for this issue and explain why it occurs, as well as how to resolve it.
Table of Contents
Issue: RBAC Admins Unable to Access Help and Support Page
The RBAC built-in role “Help Desk Operator” is typically designed to help support users and troubleshoot basic issues. However, administrators with this role encounter a block when trying to access the “Help and Support” section in the Intune Admin Center. The error displayed to these users reads:
“An error occurred, you don’t have permission to access Help and Support page. Please contact your administrator to open a support request.”
This error leads administrators to believe there might be an issue with the assigned permissions, so they start troubleshooting to determine the cause.
Troubleshooting Steps:
Step 1: Enable Developer Tools to Collect Browser Trace
To collect logs, open the browser’s Developer Tools to collect network traces. This step helps identify where the process fails during the request to access support resources.
Step 2: Reproduce the Issue
log in as an admin with the “Help Desk Operator” role and try to access the Help and Support page within the Intune Admin Center. Verify the exact error message encountered. Once the issue has been reproduced extract the browser logs in a HAR file
You can follow this guide to capture browser trace logs for all browsers types
Capture Browser Trace
Step 3: Review the Logs
After reviewing the browser trace logs, you might find entries like the following:
accessDecision: Not allowed
This indicates that the system is explicitly denying access to the Help and Support page, even though the RBAC admin is assigned the “Help Desk Operator” role. The next step is to examine the specific permissions associated with the “Help Desk Operator” role.
Step 4: Inspect the Help Desk Operator Role Permissions
The RBAC “Help Desk Operator” role appears to offer basic administrative permissions, such as the ability to manage devices, manage Apps and read different configurations. However, when we check the permissions assigned to the role, we find that it does not include permissions for raising or managing support tickets in the Intune Admin Center
Solution: Required Permissions for Raising Intune Tickets
While the RBAC “Help Desk Operator” role is useful for general support tasks, it does not have the required permissions to create support tickets. In fact, raising Intune support tickets is not considered an Intune-specific permission, but rather an Entra Permission tied to Azure Active Directory (Azure AD) roles.
The permissions required to create and manage support tickets are tied to the microsoft.office365.supportTickets action, which is granted by specific Azure AD roles, not Intune roles.
To access the support resources and create/manage support incidents, the admin account must be assigned an Entra role that includes the permission to manage support tickets.
Solution: Assign the Correct Role
To resolve this issue, assign an appropriate Azure AD role that includes permissions for accessing support resources. Specifically, the user needs to be assigned a role such as:
- Service Support Administrator
- Compliance administrator
Or any role that has “microsoft.office365.supportTickets” permission
These roles have the necessary permissions to access the Help and Support page and raise support tickets in the Intune Admin Center.
For more details on how to assign these roles and manage support resources, refer to Microsoft’s documentation on support permissions in Entra:
Microsoft Entra built-in roles – Microsoft Entra ID | Microsoft Learn
Conclusion:
The inability of “Help Desk Operators” to access the Help and Support page in the Intune Admin Center stems from the fact that the role does not include the required permissions to create or manage support tickets. Instead, the permissions required for raising Intune support tickets are part of Azure Active Directory (Azure AD) roles, such as Service Support Administrator or Compliance Administrator. By assigning one of these roles to the user, they will be able to access the Help and Support section and raise support tickets as needed.
This issue highlights the importance of understanding the distinction between Intune-specific RBAC roles and broader Azure AD roles that manage support capabilities.
By following this troubleshooting guide and understanding the underlying permissions, administrators can resolve the issue and ensure they have the necessary access to create support tickets in Intune.
Interested to read more articles from IntuneBytes, this is the link for all posts
Leave a Reply