Blog Post

Intune Customer Success
2 MIN READ

Support tip: Migrate your classic Conditional Access policies

Intune_Support_Team's avatar
Intune_Support_Team
Silver Contributor
Apr 19, 2024

Azure Active Directory (Azure AD) Graph has been deprecated since mid-2023 and is in its retirement phase to allow applications time to migrate to Microsoft Graph. As part of our ongoing efforts to prepare for this, we'll be updating the Intune Company Portal infrastructure to move to Microsoft Graph. With this update, by June 30, 2024, admins must migrate classic Conditional Access (CA) to the new policies and disable or delete them for the Company Portal and Intune apps to continue working.

 

For instructions on migrating these policies, see Migrate from a classic policy - Microsoft Entra ID | Microsoft Learn.

 

How does this affect you or your users? 

If you are using classic CA policies, you will need to migrate these policies.

Note: Admins must be a Global administrator to delete classic CA policies.

 

User impact: If you don’t migrate your policies, users won’t be able to enroll new devices via the Company Portal and they won’t be able to make non-compliant devices compliant (if non-compliance is caused by a classic CA policy or a condition within a classic CA policy). This applies to: 

  • Windows Company Portal 
  • Intune Company Portal website 
  • Android Company Portal 
  • Intune app for Android Enterprise 
  • Intune app for Android (AOSP) 
  • iOS Company Portal  
  • macOS Company Portal

Mobile Threat Defense integrations 

There is no impact or action required for classic CA policies previously created for Microsoft Defender for Endpoint or for third-party Mobile Threat Defense scenarios. If you have classic CA policies related to these connectors, there’s no longer a dependency on these connectors and they can be safely deleted. 

 

Basic Mobility and Security

The following classic CA policies are used for Basic Mobility and Security, and shouldn't be deleted if you are using or planning to use Basic Mobility and Security:

 

  • [GraphAggregatorService] Device policy
  • [Office 365 Exchange Online] Device policy
  • [Outlook Service for Exchange] Device policy
  • [Office 365 SharePoint Online] Device policy
  • [Outlook Service for OneDrive] Device policy

If you have questions or comments for the Intune team, reply to this post or reach out on X @IntuneSuppTeam.

 

Post updates

05/07/24: Updated to include a note and CA policies on Mobile Threat Defense integrations.

05/14/24: Updated to include a note on Basic Mobility and Security device policies.

Updated May 14, 2024
Version 4.0
Conditional Access
Intune Company Portal

19 Comments

Sort By
Show More
  • owainwtb's avatar
    owainwtb
    Iron Contributor
    Apr 25, 2024

    Yes, the message center post is what directs you to here for asking questions.

  • PetrVlk's avatar
    PetrVlk
    MVP
    Apr 25, 2024

    Published also as Message Center post with ID MC781581 with the same level of detail as there.

  • owainwtb's avatar
    owainwtb
    Iron Contributor
    Apr 25, 2024

    PetrVlk 

     

    Due to the complete lack of any responses from Microsoft, it looks like this blog is going the way of others related to Microsoft changes.

    These blogs are suppose to be the method that us customers use to ask questions and get more information on MS initiated service changes, support have told us that they will no longer perform this function so we're left with this as the only method.

     

    Intune_Support_Team It is incredible frustrating, and disappointing that MS do not monitor these blogs (this is the 3rd one recently where there are no responses, it effectively means we have no support.  Please can Microsoft respond to the questions form their paying customers.

  • PetrVlk's avatar
    PetrVlk
    MVP
    Apr 24, 2024

    owainwtb: This update for this article was the one which I also found the next day when I asked there. And also mentioned at X by Microsoft, but what the rest of policies? Only some targeting compliance device. Like to test it, but in fresh tenant I do not see such policies, so need to find some brave one from the past. 

  • owainwtb's avatar
    owainwtb
    Iron Contributor
    Apr 23, 2024

    Paul Schnackenburg, funnily enough I was looking at the article (https://learn.microsoft.com/en-gb/mem/intune/protect/advanced-threat-protection-configure) in relation to the classic [Windows Defender ATP] Device policy on 16/04/2024 and can confirm that it did state "These policies can be ignored, but should not be edited, deleted, or disabled".

    Checking this article today and it now states:

    "As of the August 2023 Intune service release (2308), classic Conditional Access (CA) policies are no longer created for the Microsoft Defender for Endpoint connector. If your tenant has a classic CA policy that was previously created for integration with Microsoft Defender for Endpoint, it can be deleted. To view classic Conditional Access policies, in Azure, go to Microsoft Entra ID > Conditional Access > Classic policies."

     

    The article has a last updated date of 17/04/2024 so must have been changed the day after I looked at it.

     

    So please can Microsoft confirm that it is now ok to delete the [Windows Defender ATP] Device policy?

     

    We also have the following classic policies in our tenant, presumable created by Microsoft integrations as we did not create them:

    • [GraphAggregatorService] Mobile App Management policy
    • [Office 365 SharePoint Online] Mobile App Management policy
    • [Outlook Service for OneDrive] Mobile App Management policy

     

    These look to be related to Intune as well, please can Microsoft confirm if these can now be deleted as well following the updated statement above or do we need to disable them and recreate them as New CA policies - in accordance with the Migrate a classic Conditional Access policy - Microsoft Entra ID | Microsoft Learn documentation?

  • RichLowe's avatar
    RichLowe
    Copper Contributor
    Apr 23, 2024

    As above please.!

    We also have these 3:

     

    • [Office 365 Exchange Online] Device policy
    • [GraphAggregatorService] Device policy
    • [Office 365 SharePoint Online] Device policy

    Will they be affected?

    thank you

  • Paul Schnackenburg's avatar
    Paul Schnackenburg
    Copper Contributor
    Apr 23, 2024

    Couldn't agree more with the posters above - I have several clients with the [Windows Defender ATP] Device policy which "can't be migrated, is important and shouldn't be deleted". (I've already disabled it in one tenant - following the documentation in the link above - turns out you can't turn it back on again). 

    Can Microsoft please clarify what's steps we need to take here? 

  • IndiaYankee's avatar
    IndiaYankee
    Copper Contributor
    Apr 22, 2024

    Hej, I would like to add my question here as well, as I totally agree with the question above:

    Please clarify which type of Classic Policies needs to be migrated. 

  • Kazzan's avatar
    Kazzan
    MVP
    Apr 21, 2024

    Hi, can you please clarify which type of Classic Policies need to be migrated?

     

    All or only one targeted to Intune related apps or this requires compliance like "[Office 365 Exchange Online] Device policy"?

     

    Because Defender for Endpoint (MDE/MDATP) and other security connectors seems still rely on legacy CA policy created when connector created like "[Windows Defender ATP] Device policy" which when disabled and deleted broke the connection itself.

     

    For example one of the oldest tenants have these policies enabled:

    • [Office 365 Exchange Online] Device policy
    • [GraphAggregatorService] Device policy
    • [Office 365 SharePoint Online] Device policy
    • [Outlook Service for OneDrive] Device policy
    • [Outlook Service for Exchange] Device policy
    • [Windows Defender ATP] Device policy