Home app management intune microsoft intune mobile device management

Intune App Update Fails? Fix Insufficient Permissions Now!

Updated: 0 min read
Table of Contents

Managing applications within Microsoft Intune is a core responsibility for many administrators, ensuring that users have access to the necessary tools and that these applications remain secure and up-to-date. Intune’s sophisticated Role-Based Access Control (RBAC) system allows organizations to delegate administrative tasks with fine-grained control. However, improperly configured permissions are a frequent source of frustration, often leading to unexpected errors during routine tasks like updating applications. This article addresses a specific, common error encountered when attempting to save changes to an application in Intune: the “Save application failed” message, specifically citing insufficient permissions.

Intune Insufficient Permissions

When working with custom administrator roles in Microsoft Intune, you might configure a role assignment that appears to grant all the necessary permissions to manage applications. You can create, configure, and even assign applications to groups. Yet, despite seemingly having the correct administrative rights, when you try to save an update to an existing application’s configuration, you are met with a cryptic error message:

Save application failed.

You don’t have enough permissions to update this application, contact your administrator.

This error is particularly vexing because the administrator performing the action often is the administrator or has been explicitly granted permissions they believe should cover this task. The message itself is broad, indicating a permission issue but not pinpointing the exact nature of the missing permission or configuration oversight. This situation disrupts workflows and requires investigation into the complex interplay of Intune’s RBAC elements.

Understanding Intune Role-Based Access Control (RBAC)

To understand the cause of this specific error and, more importantly, how to fix it, it’s crucial to have a solid grasp of how Intune’s RBAC system functions. RBAC in Intune allows administrators to control who can perform specific tasks and on which sets of users, devices, or objects. It’s built upon several key components:

  • Roles: A role is a collection of permissions. Intune provides built-in roles (like “Application Manager,” “Policy and Profile Manager,” “Intune Service Administrator”) that cover common administrative functions. You can also create Custom Roles by selecting specific permissions to build a role tailored to your organization’s needs. For example, a custom role might only allow managing iOS applications and wiping corporate devices, but nothing else.
  • Permissions: These are the individual rights that define what actions an administrator can perform. Examples include “Read applications,” “Create applications,” “Update applications,” “Delete applications,” “Assign applications,” “Read profiles,” “Wipe devices,” etc. To update an application, the administrator’s role assignment must include the relevant “Update applications” permission. While having this permission is necessary, it is not always sufficient on its own, as we will see.
  • Scope (Objects): This determines which specific objects an administrator can manage based on the role assignment. Scope (Objects) uses Scope Tags. Objects in Intune (like applications, policies, configuration profiles, enrollment programs, etc.) can be assigned one or more Scope Tags. An administrator’s role assignment can then be limited to managing only objects that have a specific Scope Tag. For instance, an admin might be able to manage only applications tagged “Sales Department” or policies tagged “Corporate Devices”. This ensures that administrators only impact the resources relevant to their area of responsibility.
  • Scope (Groups): This is arguably the most critical element for understanding the error discussed in this article. Scope (Groups) determines on which users and devices the administrator’s assigned role applies. It defines the set of user or device groups whose members can be administered by someone assigned this role. For example, an administrator’s role assignment might specify a Scope (Groups) that includes only the “Western Region Users” group and the “Executive Devices” group. This means that this administrator can only perform actions (defined by their permissions and Scope (Objects)) on users and devices that are members of these specific groups.

When an administrator performs an action, such as updating an application, Intune performs a permission check that involves all these layers. It checks if the administrator has the right permissions (from their role), if the object (the application) is within their Scope (Objects) (based on Scope Tags), and critically, if the users/devices targeted by the application are within the administrator’s Scope (Groups).

The Root Cause Explained

The core reason you receive the “Save application failed” error message with the “insufficient permissions” detail, even when your custom role includes the “Update applications” permission and you might even have the correct Scope Tag assigned to the application (Scope (Objects)), is due to a mismatch in the Scope (Groups) configuration of your custom role assignment.

Here’s the breakdown:

  1. You are using a custom administrator role assignment in Intune.
  2. This role assignment defines your administrative rights. It includes permissions like “Update applications”.
  3. It also defines a Scope (Groups), limiting the user and device groups that this administrator can manage.
  4. The application you are trying to update is assigned to one or more user or device groups (these are the application’s targeted groups).
  5. The error occurs because at least one of the groups that the application is assigned to (its targeted groups) is NOT included in the Scope (Groups) defined in your custom administrator role assignment.

Intune’s RBAC system is designed with a principle of least privilege and explicit scope. When an administrator attempts to modify an application, Intune not only verifies that the administrator has permission to modify applications and access the application object itself (via Scope Tags) but also verifies that the administrator has the authority to affect the users or devices that the application is intended for. If the application is targeted at a group of users or devices that are outside the administrator’s defined Scope (Groups), Intune interprets this as the administrator attempting to manage resources (the user/device groups receiving the app) they are not authorized to manage. Therefore, the “Save application failed” error is thrown because the act of saving the application update inherently affects the application’s assignment to groups that are outside the administrator’s permitted Scope (Groups).

It’s a common point of confusion because administrators often think of “managing the application” as distinct from “managing the users/devices the application is assigned to.” However, from Intune’s RBAC perspective, updating an application assigned to groups you are not authorized to manage via your Scope (Groups) is a disallowed action.

Let’s differentiate Scope (Groups) and Scope (Objects) clearly, as this distinction is key to solving this problem:

Feature Scope (Groups) Scope (Objects) (using Scope Tags)
What it controls Which users and devices the administrator can manage. Which Intune objects (apps, policies, etc.) the administrator can manage.
How it’s defined By selecting specific Azure AD user or device groups within the role assignment. By assigning Scope Tags to Intune objects and selecting corresponding Scope Tags within the role assignment.
Impact on our error The administrator must have the application’s targeted groups included in their Scope (Groups). The administrator must have the Scope Tag assigned to the application included in their Scope (Objects). This error specifically points to the Scope (Groups) being the issue.
Example An admin can manage users/devices in the “Finance Dept” group. An admin can manage apps/policies tagged “HR”.

The error message specifically highlights the Scope (Groups) limitation, stating you don’t have permissions to “update this application,” but the underlying reason is your lack of scope over the targets of the application.

Step-by-Step Solution

The solution involves modifying the custom role assignment to include the targeted groups of the application within the administrator’s Scope (Groups).

Prerequisites:

  1. Identify the custom administrator role assignment that the affected administrator is using.
  2. Identify the Azure AD user and/or device groups that the application failing to update is currently assigned to. You can find this by going to the application in Intune and checking its “Assignments”.

Steps to Modify the Role Assignment:

  1. Navigate to the Microsoft Endpoint Manager admin center (endpoint.microsoft.com).
  2. In the left-hand navigation pane, expand Tenant administration.
  3. Select Roles.
  4. Under “Intune roles”, select All roles.
  5. Find and select the Custom Role that is assigned to the administrator experiencing the issue.
  6. On the role’s overview page, select Assignments.
  7. Click on the specific role assignment that applies to the administrator in question.
  8. On the assignment’s properties page, click Properties (or “Edit” next to the relevant section if displayed this way).
  9. Scroll down to the Scope (Groups) section. This section lists the Azure AD groups whose members the administrator is authorized to manage.
  10. Click Edit next to the Scope (Groups) section.
  11. Click Add groups.
  12. Search for and select the Azure AD user and/or device group(s) that the application is assigned to. Ensure you add all groups the application is targeted towards.
  13. Click Select once you have added all necessary groups.
  14. Review the changes, ensuring the required groups are now listed under Scope (Groups).
  15. Click Review + save.
  16. Click Save.

After saving the role assignment with the updated Scope (Groups), allow a few minutes for the changes to propagate through the system. The administrator should then be able to update and save changes to the application without encountering the “Save application failed” error related to insufficient permissions, provided their role also has the necessary “Update applications” permission and correct Scope (Objects) (Scope Tags) applied to the application.

It is crucial to ensure that the Scope (Groups) includes all target groups of the application. If an application is assigned to Group A and Group B, and the administrator’s Scope (Groups) only includes Group A, they will still encounter the error when trying to update the application. The administrator’s scope must encompass the entire target audience of the application they are modifying.

Visualizing the Problem and Solution

A simple diagram can help illustrate the relationship between the administrator, the role assignment, the application, and its targets that leads to the error.

```mermaid
graph TD
A[Admin User] → R{Role Assignment};
R → Permissions(Permissions: Update Apps, etc.);
R → ScopeObjects(Scope (Objects): Scope Tags);
R → ScopeGroups(Scope (Groups): Limited Groups);

App[Application] --> AppAssignment(Assignments: Target Groups X, Y, Z);

subgraph Role Evaluation
    Permissions --> CheckPerm(Check Permissions);
    ScopeObjects --> CheckObjectScope(Check Object Scope);
    ScopeGroups --> CheckGroupScope(Check Target Group Scope);
end

AppAssignment --> CheckGroupScope;

CheckPerm --> Result(Permissions OK);
CheckObjectScope --> Result;
CheckGroupScope -- Groups X, Y, Z NOT in Limited Groups --> ErrorMsg[Error: Save application failed<br>Insufficient permissions];

Result -- All Checks Pass --> Success[Application Update Successful];

```

This diagram shows that even if the administrator has the necessary permissions (CheckPerm) and the application is within their object scope (CheckObjectScope), the check against ScopeGroups fails if the application’s target groups (AppAssignment) are not fully contained within the administrator’s Limited Groups.

The solution is to modify the ScopeGroups for the Role Assignment to include the necessary Target Groups X, Y, Z.

Best Practices for Intune RBAC

Preventing these types of permission errors requires careful planning and adherence to best practices when configuring Intune RBAC:

  • Principle of Least Privilege: Always grant administrators only the permissions and scope they absolutely need to perform their job functions. This minimizes the potential attack surface and prevents accidental or malicious actions outside their intended scope.
  • Plan Your Scope Tags: Before deploying Intune widely, design a clear strategy for using Scope Tags. Base them on organizational structure (e.g., departments, locations), device ownership (corporate, personal), or function (e.g., critical infrastructure, pilot group). Consistent application of Scope Tags makes managing Scope (Objects) significantly easier.
  • Align Scope (Groups) with Responsibility: Ensure that the Scope (Groups) defined in a role assignment accurately reflect the set of users and devices that the administrator is responsible for managing. If an admin supports users in the “EMEA Sales” group, their Scope (Groups) should include “EMEA Sales”.
  • Document Role Assignments: Keep clear documentation of your custom roles, their assigned permissions, and, importantly, the Scope (Groups) and Scope (Objects) defined in their assignments. This helps in troubleshooting when permission issues arise.
  • Regularly Review Assignments: Periodically review administrator role assignments to ensure they are still necessary and configured correctly as roles and responsibilities within your organization change.
  • Test Custom Roles: Before deploying a custom role assignment to production administrators, test it with a pilot administrator account to verify that the granted permissions and defined scopes function as expected and do not encounter unexpected errors like the one discussed here.

Further Troubleshooting Tips

While the mismatched Scope (Groups) is the specific cause addressed in this article, other RBAC misconfigurations can also lead to permission errors. If adjusting the Scope (Groups) does not resolve the issue, consider these other areas:

  • Verify Required Permissions: Double-check that the custom role truly includes the specific permission needed for the action you are performing (e.g., “Update applications”). Even a slight naming difference can matter.
  • Check Scope (Objects) and Scope Tags: Ensure that the application you are trying to manage has the correct Scope Tag(s) assigned, and that your administrator role assignment includes those same Scope Tag(s) in its Scope (Objects). If the application lacks a necessary Scope Tag, or the administrator’s assignment doesn’t include it, they won’t be able to manage the object itself.
  • Group Membership Propagation: Remember that changes to Azure AD group memberships or Intune role assignments can take some time to propagate. If you’ve just made a change, wait a few minutes before testing again.
  • Assignment Filters: If Assignment Filters are in use, ensure that they are not inadvertently blocking the application assignment to the targeted groups in a way that might interfere with the administrator’s ability to manage that assignment scope. While less likely to cause this specific error, it’s part of the assignment evaluation process.

Understanding the layers of Intune RBAC – Permissions, Scope (Objects) (via Scope Tags), and Scope (Groups) – is essential for effective administration and troubleshooting. This specific “Save application failed” error serves as a strong reminder of the importance of correctly configuring Scope (Groups) relative to the target audience of the resources being managed.

Relevant Video Content

To further explore Intune RBAC and permissions management, consider reviewing resources like the following video which provides an overview of Intune roles and permissions. Please note: The specific fix for this article’s issue might not be detailed in external videos, but they offer valuable foundational knowledge on the underlying concepts.


Replace your_relevant_youtube_video_id_here with the actual ID of a suitable YouTube video about Intune RBAC or permissions.

Conclusion

The error “Save application failed. You don’t have enough permissions to update this application” when using a custom Intune role is a clear indicator that the administrator’s scope, specifically their Scope (Groups), does not encompass the groups to which the application is assigned. By identifying the application’s target groups and adding them to the administrator’s custom role assignment’s Scope (Groups) configuration, you directly address the root cause and restore the ability to manage the application. Implementing robust RBAC practices, including careful planning of roles, permissions, Scope Tags, and Scope (Groups), is fundamental to maintaining a secure and efficiently managed Intune environment.

Have you encountered this specific error or other challenging permission issues in Intune? How did you troubleshoot and resolve them? Share your experiences and tips in the comments section below! Your insights can help others facing similar challenges.

Post a Comment