Recently, I ran into a confusing Intune issue that looked like a permissions problem… but turned out to be something completely different and far more subtle.
If you work with Intune RBAC, custom roles and scope tags, this story may save you a lot of troubleshooting.

The Symptom

A custom Intune role I had created — based on the built‑in Helpdesk Operator role — suddenly started showing these errors:

• “Unable to fetch per‑platform device counts”
• “An error occurred while fetching certificate details”

The strange part?
Another custom role, also based on Helpdesk Operator and with almost identical permissions, worked perfectly.

So why did one role break and the other not?

---

First Guess: Permissions Issue (It Wasn’t)

Like most Intune admins would, I assumed the issue had something to do with the role’s permissions:

• missing read permissions
• needing reporting rights
• needing device management rights
• hidden Graph scopes

All reasonable guesses — but all wrong. Because even a pure read‑only built‑in role (like “Read Only Operator”) should be able to access those dashboards without errors. So something else had to be wrong.

---

The Real Culprit

After digging deeper, I noticed something unusual in a Scope tag included groups:

One of the Scope (Groups) entries showed this status:

Soft‑deleted

This means the Entra ID group was deleted at some point, but still in its 30‑day recovery period — not fully removed from the directory yet. Even though the group was no longer valid, Intune still considered it part of the role’s scope definition.

And that’s where the real issue began.

---

Why a Soft‑Deleted Group Breaks an Intune Role

An Intune role needs a valid, resolvable scope tag to determine what:

• devices
• configurations
• policies
• dashboards

The user is allowed to access. If any group inside the scope list is invalid (soft‑deleted), Intune can no longer calculate an effective scope. When the scope becomes invalid, Intune responds by:

• blocking dashboard data
• failing Graph queries
• returning “Unauthorized” for tenant‑wide objects
• showing errors even if the permissions are correct

This is exactly what happened here.

The working role had only active groups in the scope.
The broken role had one soft‑deleted group — enough to disrupt the entire scope.

---

The Fix: Remove the Soft‑Deleted Group

As soon as I removed the soft‑deleted group from the role assignment, everything immediately started working again:

• device counts loaded
• certificate details loaded
• dashboards worked
• no more Unauthorized messages

It required zero permission changes. Just fixing the scope.

---

Why This Issue Is Easy to Miss

Most admins don’t regularly check:

• role assignment scopes
• group statuses
• “soft‑deleted” entries inside RBAC
• group lifecycle vs. role lifecycle

And Intune does not show a warning or helpful explanation.
It simply throws errors that make it look like a permissions issue.

Because of that, it can take a long time to discover the real cause.

---

Conclusion

This issue was subtle, counter‑intuitive, and easy to misdiagnose.
But the fix was incredibly simple once I understood the root cause.

If you ever encounter unexplained “Unauthorized” errors, dashboard failures, or missing Intune data — before you dive into role permissions or Graph scopes — check your role assignments for soft‑deleted groups.

It might save you a lot of time… like it did for me.