The Intune Certificate Connectors provides users and devices managed by Intune (joined in Azure AD) to (auto-)enroll certificates in an Active Directory Certificate Authority, either on-premise or in Azure. The connector is a piece of software which allows Intune to enroll and issue certificates on behalf of users/devices that aren't joined directly in the local AD but are joined in Azure AD instead, and needs to be installed on a server in the same AD domain as the Certificate Authority.

The installation is outlined here, but it isn't entirely complete as it omits a few requirements. After the installation, you are required to enter the credentials of an account with Azure Global administrator permissions, but this is only part of the requirement. The account you use needs to be licensed for Intune, otherwise the registration process for the connector will fail with this error:

In short, these are the things to check when installing and registering ("enrolling" as they call it during the setup process):

• IE ESC needs to be disabled on the server running the connector for the account you are logged in.
• The user you use to sign in to register the connector needs to have a license for Intune.
• The user you use to sign in to register the connector needs to be a Global Administrator.

Once the connector is registered (i.e. it is visible in the list of Certificate connectors in Intune), the user no longer needs to be a Global Administrator and no longer needs to have a license for Intune.