maester365 · SamErde · Mar 29, 2026 · Feb 25, 2026 · Mar 5, 2026 · Mar 5, 2026
@@ -1,6 +1,29 @@
 This test checks for the existence of Intune Diagnostic settings collecting Intune Audit Logs.
 
+#### Test Prerequisites
 
+For this test to run, the executing principal must have permissions to read Intune diagnostic settings in Azure (`microsoft.intune/diagnosticSettings/read` action). This typically requires at least the 'Monitoring Reader' or 'Reader' Azure role assigned at the subscription level (for example, with scope `/subscriptions/$SubscriptionId`), which provides access to the provider-level Intune diagnostic settings.
+
+Alternatively, you can create a custom RBAC role with the following snippet:
+
+```powershell
+# Get the subscription ID and user ID from the current context. Change if necessary.
+$SubscriptionId = "$((Get-AzContext).Subscription.Id)"
+$UserId = (Get-AzADUser -UserPrincipalName (Get-AzContext).Account.Id).Id
+
+$CustomRole = @{
+    Name = 'Intune Diagnostic Settings Reader'
+    Description = 'Can read Intune diagnostic settings only'
+    Actions = @('microsoft.intune/diagnosticSettings/read')
+    NotActions = @()
+    AssignableScopes = @("/subscriptions/$SubscriptionId")
+}
+
+New-AzRoleDefinition -Role $CustomRole
+
+# Assign the custom role at subscription level
+New-AzRoleAssignment -ObjectId $UserId -RoleDefinitionName 'Intune Diagnostic Settings Reader' -Scope "/subscriptions/$SubscriptionId"
+```
 
 #### Remediation action
 

@@ -31,6 +31,16 @@ function Test-MtIntuneDiagnosticSettings {
     try {
         Write-Verbose 'Retrieving Intune Diagnostic Settings status...'
         $diagnosticSettingsRequest = Invoke-AzRestMethod -Method GET -Path "/providers/microsoft.intune/diagnosticSettings?api-version=2017-04-01-preview"
+
+        # check whether the user has permissions to read diagnostic settings
+        if ($diagnosticSettingsRequest.StatusCode -ne '200') {
+            if ($diagnosticSettingsRequest.StatusCode -in @('401', '403')) {
+                throw [System.UnauthorizedAccessException]::new('No Azure RBAC permissions to read Intune diagnostic settings.')
+            } else {
+                throw [System.Exception]::new(("Failed to retrieve Intune diagnostic settings. HTTP status code: {0}" -f $diagnosticSettingsRequest.StatusCode))
+            }
+        }
+
         $diagnosticSettings = @($diagnosticSettingsRequest | Select-Object -ExpandProperty Content | ConvertFrom-Json | Select-Object -ExpandProperty value)
         $testResultMarkdown = ''
         if ($diagnosticSettings) {
@@ -62,6 +72,9 @@ function Test-MtIntuneDiagnosticSettings {
         }
         Add-MtTestResultDetail -Result $testResultMarkdown
         return [bool]($diagnosticSettings | Where-Object { $_.properties.logs | Where-Object { $_.category -eq 'AuditLogs' -and $_.enabled -eq $true } })
+    } catch [System.UnauthorizedAccessException] {
+        Add-MtTestResultDetail -SkippedBecause Custom -SkippedCustomReason 'Insufficient permissions to read Intune diagnostic settings in Azure.'
+        return $null
     } catch {
         Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
         return $null