By Wayne Bennett – Sr Program Manager | Microsoft Endpoint Manager – Intune
Using Microsoft Endpoint Manager – Microsoft Intune to set your company’s terms and conditions meets the requirements of many organizations. However, the Azure Active Directory (Azure AD) terms of use feature offers greater functionality— including terms of use in different languages and integration with Conditional Access in the form of grant controls. You can learn more about the differences between the two solutions in this blog post.
If you’ve configured the Azure AD terms of use solution and set a grant control to require users to accept terms of use in your Conditional Access policy, you need to be aware of a configuration scenario that might unintentionally block access for your users when they try to sign into the Company Portal and enroll into Intune.
When creating an Azure AD terms of use policy, you have the option to select Require users to consent on every device. If you choose this setting, you will see the Consent on every device will require users to register each device with Azure AD prior to getting access warning. Once saved, you are unable to change this setting.
After you create the terms of use policy, the next step is to create a Conditional Access policy. As shown in the following example, many organizations will target All Cloud Apps without configuring any exclusions.
Additionally, many organizations will select Require device to be marked as compliant grant controls and require users to accept the Azure AD terms of use policy.
The combination of Azure AD terms of use requiring users to consent on every device, Conditional Access policy targeting All Cloud Apps, and the control requiring the user to accept the Azure AD terms of use results in the following unintended behaviour during the Intune enrollment process:
The issue is caused by selecting Require users to consent on every device, requiring users to register each device with Azure AD prior to getting access, as per the warning, when creating the terms of use policy.
There are two methods to keep the enrollment blocking scenario from occurring:
The first method is to ensure that Require users to consent on every device in the Terms of use dialog remains at the default Off setting when creating the Azure AD terms of use policy.
Note
Once the Azure AD terms of use policy is created, it is not possible to edit the Require users to consent on every device setting. You must create and target a new terms of use policy in the Conditional Access policy.
The second method is to exclude certain cloud apps from Conditional Access targeting. The Per-device terms of use section of the Azure Active Directory terms of use documentation states that “The Intune Enrollment app is not supported. Ensure that it is excluded from any Conditional Access policy requiring Terms of Use policy.” However, excluding the Microsoft Intune Enrollment cloud app is not sufficient — as the example below shows, you must also exclude the Microsoft Intune cloud app.
If you are using Intune app protection policies without enrolment and have configured Azure Active Directory terms of use in your Conditional Access policy, your Android users will be unable to sign in to the Company Portal. In this scenario, following method 2 in the previous section and excluding the Microsoft Intune cloud app only will be sufficient to unblock your Android users.
Changing your configuration using either of the suggested methods will prevent the Intune enrollment blocking scenario. Before you make any change, be sure to evaluate the settings so you don’t impact any existing Conditional Access requirements.
For further resources on this subject, please see the links below.
Plan an Azure Active Directory Conditional Access Deployment
Troubleshoot Conditional Access using the What If tool
Conditional Access require terms of use
Cloud apps or actions in Conditional Access policy
Device compliance policies in Microsoft Intune
Let us know if you have any additional questions by replying to this post or reaching out to @IntuneSuppTeam on Twitter.
Post updates:
7/22/21: updated post title to clarify preventing Azure Active Directory terms of use (TOU) from blocking Intune Company Poral sign in and enrollment.
8/5/21: added a new section for steps on unblocking the Company Portal sign in for Android Intune app protection policy users".
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.