Environment details:
·
Tenant Id:
****0-33c2d-1318-****-1agdq71a2462
·
Tenant Initial
Domain Name: blogger365.onmicrosoft.com
· Affected user: testuser@blogger365.onmicrosoft.com (134***-1**-1356-31f1-689s3***1h)
·
Error message:
'No Access'
sessionid: 1fewh22c****8ee51a52199501b
ResourceID: not available
Extension: Microsoft_AAD_IAM
Content: PoliciesTemplateBlade
Error Code: 403
Cause
The user testuser@blogger365.onmicrosoft.com (test example) does not have any Azure
AD Admin roles assigned.
From documentation, we can see that the
least privileged role necessary to access the Conditional Access settings is
the Conditional
Access administrator role.
Conditional
Access | Least-privileged roles by task - Azure Active Directory | Microsoft
Docs
Resolution
In order to provide access to the Azure AD Conditional
Access you will need to assign your user with one of the following roles,
according to the necessary permissions that you require this user to have:
Roles with permissions to write:
·
Conditional
Access Administrator
Roles with permissions to read:
In order to assign the user with permissions to manage
the Azure AD Conditional Access you needed to assign the user with the Conditional
Access Administrator.
Since you are enrolled in the Azure PIM for role management, you needed to make sure that the assigned role was in the Activated state, as the Eligible state “only” provides the user with the ability of requesting the activation of the role from a Global Administrator or a Privileged Role Administrator.
(If you have been made eligible for an administrative role, then you must activate the role assignment when you need to perform privileged actions. From Activate my Azure AD roles in PIM - Azure Active Directory | Microsoft Docs )
After we activated the role, the user was then able to access the necessary resources.
Additionally, we had the following settings activated for your Azure AD:
The above setting (which is also regarded as a best practice) prevents users that do not have any Administrator role from accessing the Azure AD through the Azure Portal.
If you wish to allow all the non-admin users to access the Azure AD using the Portal, it would be important to discuss internally the requirement of this setting.