Microsoft Intune Company Portal for Linux and Conditional Access Issue

Greetings everyone,

I have the following scenario implemented regarding conditional access:

Rule#1: For pilotuser1, for all cloud apps, for all platforms --> require MFA
Rule#2: For pilotuser1, for all cloud apps except Microsoft Intune Enrollment and Microsoft Intune, for all platforms --> Require Device marked as compliant

This should allow me to enroll to Intune successfully a non-enrolled device and require the device compliance for the other workloads. For Windows it works just fine. The problem lies with Linux.

Following the instructions on Enroll a Linux device in Intune | Microsoft Learn & Get the Microsoft Intune app for Linux | Microsoft Learn I installed Intune App and Edge (Version 109.0.1518.52 (Official build) (64-bit)) on a VM with Ubuntu 22.04.

I open the Intune App and try to sign in:

First step is to Register the Device on Azure AD, it goes without a problem -->

On the next stage I get the following and press continue:

At this stage Microsoft Edge opens and I sign in successfully but the Intune App throws an error:

The sign in logs on Azure AD show that even though I excluded Intune Enrollment from the CA policy, it is not enough.

Sign-in error code: 530003

Failure reason: Your device is required to be managed to access this resource.

Additional Details:

The requested resource can only be accessed using a compliant device. The user is either using a device not managed by a Mobile-Device-Management (MDM) agent like Intune, or it's using an application that doesn't support device authentication. The user could enroll their devices with an approved MDM provider, or use a different app to sign in, or find the app vendor and ask them to update their app. More details available at https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-device-remediation

Application: Microsoft Intune Company Portal for Linux

Application ID: b743a22d-6705-4147-8670-d92fa515ee2b

Resource : Microsoft Graph

Resource ID: 00000003-0000-0000-c000-000000000000

Client app: Mobile Apps and Desktop clients

Client credential type: None

Resource service principal ID: 01989347-a263-48ef-a8d7-583ee83db9a2

Token issuer type: Azure AD

Apparently something is different in the enrollment process of Linux because I had no issues with Windows 10 enrollment .

Any thoughts on the subject would be appreciated.

Kind Regards,

Panos

17 Replies

lueduandrade
Copper Contributor
May 31, 2024
ppolychron

At the company where I work, we had the same problem. Apparently, this error only occurs on machines running Ubuntu versions 23.x or 24.x. We resolved it by downgrading the OS to Ubuntu 22.04, which works correctly using this installation article:

https://learn.microsoft.com/pt-br/mem/intune/user-help/microsoft-intune-app-linux
dseme
Copper Contributor
Feb 02, 2024
ppolychron We have MFA form Microsoft Authenticator and have the same issue without any conditional access policy and without any limit for user. Only This error after click register whithout request MFA (why?)
GRaffinAtos
Copper Contributor
Aug 23, 2023
Hello
Does someone know whether this issue has been solved?
Moe_Kinani
Bronze Contributor
Jan 21, 2023
Hi,

It might be a bug because the Linux support is relatively new. Have you checked this blog post? It might be something to do with your Edge Version in the device.

https://www.prajwaldesai.com/complete-guide-to-managing-linux-with-intune/

Moe
- ppolychron
  MCT
  Jan 26, 2023
  Hello,
  
  I also think its a bug. Trying with older versions of Edge didn't help either. Maybe I need to exclude also another cloud app (besides Microsoft Intune Enrollment and Microsoft Intune) or maybe something has to change in the process in order for Linux to have the same experience as Windows and Mac OS. Everything everything works fine there.
  
  For the moment the only workaround we have is enroll the Linux Device before we enforce the specific CA policy.
  
  Panos
  - benferse
    Microsoft
    Feb 08, 2023
    Hi ppolychron - thanks for the report! This definitely looks wrong. There's additional logic that should be kicking in to honor this request, but I don't think it's properly taking the Linux client's identity into account when doing so.
    
    FYI Intune_Support_Team in case we want to open a ticket to track. I'd like to take a look at this.
somesh_pathak
Iron Contributor
Jan 20, 2023
Hi ppolychron ,
Are you including the “Microsoft Intune Enrollment” app in block mode for conditional access?Also, please try to keep the CA in report only mode to see what does your sign-in logs refer.
The logs will be-
Conditional Access –> Sign-in logs -> User sign-ins (non-interactive)
Find the application with the name “Microsoft Intune Company Portal for Linux” and you should see “Failure” there. These will help to evaluate and fix the CA.

Hope it helps you in fixing the enrollment.

Best Regards,
Somesh
- FingerlessGloves
  Copper Contributor
  Aug 21, 2025
  When I look in User sign-ins (non-interactive), I can indeed see Failures against "Microsoft Intune Company Portal for Linux", because I have a policy that requires MFA for all resources. Problem is I can't exclude that Portal for Linux, as it doesn't show up a resource.
  How do I make this work, I can't exclude users from that CA policy, as that would remove their MFA requirement. Is this still an outstanding bug? Feels like a bit of a flaw at the moment.
  
  Since this problem still exists at least 2 years later, I feel Microsoft aren't fully supporting Linux as device type in Intune, unless the resource I actually need to exclude is different name, but no documentation is pointing me towards this online. Both official docs or various blog posts.

Forum Discussion

Microsoft Intune Company Portal for Linux and Conditional Access Issue

17 Replies

Resources