From c6095946c40397174e969e02af4738dc74909e44 Mon Sep 17 00:00:00 2001
From: nilakhum <117947820+nilakhum@users.noreply.github.com>
Date: Wed, 3 Sep 2025 22:43:17 +0530
Subject: [PATCH 1/2] Update azure-services-wizard.md

We have confirmed from lab test as well as cx in environment. The Privileged Admin role permissions are insufficient to renew secret key in SCCM 2409.

With Global Administrator role permissions secret key gets renewed successfully.

verbose smsadminui.log:
09-03-2025 08:30:37.000    1 (0x1)    Executing WQL: 'SELECT Environment,TenantID, Name FROM SMS_AAD_Tenant_Ex WHERE ID = 1'
09-03-2025 08:30:37.000    1 (0x1)    Executing WQL: 'select EnvironmentName, ManagementPortalURL , PublishSettingsURL, ServiceManagementEndpoint, ResourceManagerEndpoint, ActiveDirectoryEndpoint, GalleryEndpoint, KeyVaultEndpoint, GraphEndpoint, StorageEndpointSuffix, SQLDatabaseDNSSuffix, TrafficManagerDNSSuffix, KeyVaultDNSSuffix, ServiceBusEndpointSuffix, CloudServiceSuffix, GatewayService, CMMicroServiceResourceEndpoint, MicrosoftGraphEndpoint, MicrosoftGraphAudience, ServiceFabricSuffix from SMS_AzureEnvironments where ID = 1'
09-03-2025 08:30:58.000    35 (0x23)    {
  "error": {
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
      "date": "2025-09-03T12:30:58",
      "request-id": "bac56e2e-d455-445f-9cbc-60ab9e32df9c",
      "client-request-id": "bac56e2e-d455-445f-9cbc-60ab9e32df9c"
    }
  }
}
09-03-2025 08:30:58.000    1 (0x1)    System.Exception
{
  "error": {
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
      "date": "2025-09-03T12:30:58",
      "request-id": "bac56e2e-d455-445f-9cbc-60ab9e32df9c",
      "client-request-id": "bac56e2e-d455-445f-9cbc-60ab9e32df9c"
    }
  }
}
System.Net.WebException
The remote server returned an error: (403) Forbidden.
   at System.Net.HttpWebRequest.GetResponse()
   at Microsoft.ConfigurationManagement.AdminConsole.CloudServicesManagement.AAD.AADDataHandler.AddServerAppSecretKey(String objectId, String secretkeyJson)
---
 .../core/servers/deploy/configure/azure-services-wizard.md      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/intune/configmgr/core/servers/deploy/configure/azure-services-wizard.md b/intune/configmgr/core/servers/deploy/configure/azure-services-wizard.md
index ff56cc3bd3f..8a9a7475b0a 100644
--- a/intune/configmgr/core/servers/deploy/configure/azure-services-wizard.md
+++ b/intune/configmgr/core/servers/deploy/configure/azure-services-wizard.md
@@ -271,7 +271,7 @@ For more information on how to interact with these notifications, see [Configura
 
 > [!NOTE]
 > You need to have at least the "Cloud Application Administrator" Microsoft Entra role assigned to be able to renew the key.
-> From ConfigMgr 2409 onwards, Microsoft graph replaces the Azure AD graph which has [changed permissions for the same role](/graph/migrate-azure-ad-graph-permissions-differences). The mimimum privileged security role for renewing the security key now is **Privileged Role Administrator**
+> From ConfigMgr 2409 onwards, Microsoft graph replaces the Azure AD graph which has [changed permissions for the same role](/graph/migrate-azure-ad-graph-permissions-differences). Use **Global Administrator Role** for renewing the security key .
 
 ### Renew key for created app
 

From db4a104ae5aa8c09a19aad5740b91b84248f40f0 Mon Sep 17 00:00:00 2001
From: nilakhum <117947820+nilakhum@users.noreply.github.com>
Date: Wed, 3 Sep 2025 23:41:24 +0530
Subject: [PATCH 2/2] Update azure-services-wizard.md

undoing the previous change. Even though this has been tested in lab that Privilege Admin role is insufficient to renew the secret key. Will open a collab with Microsoft Entra team to investigate and will propose to update the doc afterwords
---
 .../core/servers/deploy/configure/azure-services-wizard.md      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/intune/configmgr/core/servers/deploy/configure/azure-services-wizard.md b/intune/configmgr/core/servers/deploy/configure/azure-services-wizard.md
index 8a9a7475b0a..8ffb75795ed 100644
--- a/intune/configmgr/core/servers/deploy/configure/azure-services-wizard.md
+++ b/intune/configmgr/core/servers/deploy/configure/azure-services-wizard.md
@@ -271,7 +271,7 @@ For more information on how to interact with these notifications, see [Configura
 
 > [!NOTE]
 > You need to have at least the "Cloud Application Administrator" Microsoft Entra role assigned to be able to renew the key.
-> From ConfigMgr 2409 onwards, Microsoft graph replaces the Azure AD graph which has [changed permissions for the same role](/graph/migrate-azure-ad-graph-permissions-differences). Use **Global Administrator Role** for renewing the security key .
+> From ConfigMgr 2409 onwards, Microsoft graph replaces the Azure AD graph which has [changed permissions for the same role](/graph/migrate-azure-ad-graph-permissions-differences). The mimimum privileged security role for renewing the security key now is Privileged Role Administrator.
 
 ### Renew key for created app