I'm the ERP manager at a mid-sized company and manage some admin rights across M365, Azure, and Intune. My role involves initializing laptops for new hires, but currently, it seems that only our global admin can perform the initial login required to set up these devices and add them to Intune. This is proving to be a hassle because every time I need to initialize a device, I have to call my boss, the CIO, for authentication, and he's on vacation right now. Can anyone tell me what specific admin rights I need in M365 to allow my account to handle device initialization without having to rely on him? I'm getting hit with error code 53003 when I try to log in.
3 Answers
You might want to check your admin roles in Entra. You can assign a different admin role for this so that you can manage device setups without needing the global admin account every time. Also, make sure to update the settings in the Intune Admin Center accordingly.
In our setup, we allow users to initialize their own machines. We just create a group that has permissions for "Users may join devices to Microsoft Entra," and that simplifies things. You can find the settings in the Microsoft Entra admin center under Devices > Device settings. After the setup, I just remove them from the group.
To avoid that error (53003), you'll need both the Cloud Device and Intune admin roles set in EntraID. Also, ensure your user account is permitted under the "Users may join devices to Azure" setting in device configurations.
That’s a solid approach! Have you considered allowing all users to enroll devices while restricting them to just one at a time? It might save you even more hassle.