Forum Discussion
Conditional Access and -Online Device registration error
So there was an Issue creating new discussions yesterday and I ended up with a discussion with Heading only. :)
We're using the Get-WindowsAutopilotInfo.ps1 script with the -Online switch to register our Entra Joined Devices, and the process is being blocked by Conditional Access.
The sign-in logs point to Microsoft Graph Command Line Tools (App ID: 14d82eec-204b-4c2f-b7e8-296a70dab67e) as the blocker. Microsoft Support suggested whitelisting several apps, but unfortunately, that hasn’t resolved the issue—likely because the device doesn’t have the compliant state during online registration.
We’re currently evaluating whether a dedicated service account with scoped permissions for Autopilot enrollment might be a workaround.
Would be great to hear if anyone else has found a reliable solution.
2 Replies
We are experiencing the same issue and have never had problems harvesting hardware hashes before.
Our CA policy requires compliance for Office 365 SharePoint Online -
00000003-0000-0ff1-ce00-000000000000
This policy now seems to categorize Microsoft Graph Command Line Tools as part of the Office 365 SharePoint Online application.
After reviewing the documentation, I concluded it doesn’t apply to us since our compliance policies target users, not devices. I’ll try explicitly excluding Microsoft Intune Enrollment and Microsoft Intune and will report back.
Update: I've tried excluding Microsoft Graph Command Line Tools, Microsoft Intune Enrollment and Microsoft Intune from the CA policy with no success.
Hy,
I didn't have this issue, I must admit, but normally the Microsoft Intune Enrollment app is excluded by default. Just check your Conditional Access policy one more time based on this.
https://learn.microsoft.com/en-us/autopilot/known-issues
Maybe as workaround try to enroll your devices from another network and apply this in your CA under Conditions | Locations | Exclude
Good luck!
