Tech Community Live: Microsoft Intune
Mar 20 2024, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community
Preventing Azure Active Directory TOU from blocking Intune Company Portal sign in and enrollment
Published May 04 2021 08:00 AM 15.9K Views

By Wayne Bennett – Sr Program Manager | Microsoft Endpoint Manager – Intune

 

Using Microsoft Endpoint Manager – Microsoft Intune to set your company’s terms and conditions meets the requirements of many organizations. However, the Azure Active Directory (Azure AD) terms of use feature offers greater functionality— including terms of use in different languages and integration with Conditional Access in the form of grant controls. You can learn more about the differences between the two solutions in this blog post.

 

Potential to block access to Intune

If you’ve configured the Azure AD terms of use solution and set a grant control to require users to accept terms of use in your Conditional Access policy, you need to be aware of a configuration scenario that might unintentionally block access for your users when they try to sign into the Company Portal and enroll into Intune.

 

Typical configuration

When creating an Azure AD terms of use policy, you have the option to select Require users to consent on every device. If you choose this setting, you will see the Consent on every device will require users to register each device with Azure AD prior to getting access warning. Once saved, you are unable to change this setting.

 

Example screenshot to register each device with Azure AD prior to getting access in a Conditional Access policyExample screenshot to register each device with Azure AD prior to getting access in a Conditional Access policy

 

After you create the terms of use policy, the next step is to create a Conditional Access policy. As shown in the following example, many organizations will target All Cloud Apps without configuring any exclusions.

 

Example screenshot of targeting All cloud apps in a Conditional Access policyExample screenshot of targeting All cloud apps in a Conditional Access policy

 

Additionally, many organizations will select Require device to be marked as compliant grant controls and require users to accept the Azure AD terms of use policy.

 

Example screenshot of configuring both the "Require device to be marked as compliant" and "Terms of Use" policies under the Grant controlExample screenshot of configuring both the "Require device to be marked as compliant" and "Terms of Use" policies under the Grant control

 

Blocking enrollment issue

The combination of Azure AD terms of use requiring users to consent on every device, Conditional Access policy targeting All Cloud Apps, and the control requiring the user to accept the Azure AD terms of use results in the following unintended behaviour during the Intune enrollment process:

  • Once the user has authenticated in the Company Portal, prior to Azure AD terms of use appearing, the Help us keep your device secure message will appear. The user will be prompted to install the Microsoft Authenticator app, Conditional Access controls will begin a continuous registration cycle, and the user will be unable to complete enrollment.

 

The issue is caused by selecting Require users to consent on every device, requiring users to register each device with Azure AD prior to getting access, as per the warning, when creating the terms of use policy.

 

Example screenshot of the "Help us keep your device secure" messageExample screenshot of the "Help us keep your device secure" message

 

Prevent Intune enrollment from being blocked

There are two methods to keep the enrollment blocking scenario from occurring:

 

Method 1: The Terms of use dialog

The first method is to ensure that Require users to consent on every device in the Terms of use dialog remains at the default Off setting when creating the Azure AD terms of use policy.

 

Note

Once the Azure AD terms of use policy is created, it is not possible to edit the Require users to consent on every device setting. You must create and target a new terms of use policy in the Conditional Access policy.

 

Method 2: Exclude cloud apps

The second method is to exclude certain cloud apps from Conditional Access targeting. The Per-device terms of use section of the Azure Active Directory terms of use documentation states that “The Intune Enrollment app is not supported. Ensure that it is excluded from any Conditional Access policy requiring Terms of Use policy.” However, excluding the Microsoft Intune Enrollment cloud app is not sufficient — as the example below shows, you must also exclude the Microsoft Intune cloud app.

 

Example screenshot of excluding "Microsoft Intune" and "Microsoft Intune Enrollment" from the Cloud apps or actions listExample screenshot of excluding "Microsoft Intune" and "Microsoft Intune Enrollment" from the Cloud apps or actions list

 

Unblock Company Portal sign in for Android Intune App protection policy users

If you are using Intune app protection policies without enrolment and have configured Azure Active Directory terms of use in your Conditional Access policy, your Android users will be unable to sign in to the Company Portal. In this scenario, following method 2 in the previous section and excluding the Microsoft Intune cloud app only will be sufficient to unblock your Android users.

 

Conclusion

Changing your configuration using either of the suggested methods will prevent the Intune enrollment blocking scenario. Before you make any change, be sure to evaluate the settings so you don’t impact any existing Conditional Access requirements.

 

More info and feedback

For further resources on this subject, please see the links below.

 

Plan an Azure Active Directory Conditional Access Deployment

Troubleshoot Conditional Access using the What If tool

What is Microsoft Intune

Conditional Access require terms of use

Cloud apps or actions in Conditional Access policy

Device compliance policies in Microsoft Intune

 

Let us know if you have any additional questions by replying to this post or reaching out to @IntuneSuppTeam  on Twitter.

 

Post updates:

7/22/21: updated post title to clarify preventing Azure Active Directory terms of use (TOU) from blocking Intune Company Poral sign in and enrollment.

8/5/21: added a new section for steps on unblocking the Company Portal sign in for Android Intune app protection policy users".

2 Comments
Version history
Last update:
‎Dec 19 2023 01:20 PM
Updated by: