Tech Community Live: Windows edition
Jun 05 2024, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community
Support tip: Migrate your classic Conditional Access policies
Published Apr 19 2024 02:49 PM 8,696 Views

Azure Active Directory (Azure AD) Graph has been deprecated since mid-2023 and is in its retirement phase to allow applications time to migrate to Microsoft Graph. As part of our ongoing efforts to prepare for this, we'll be updating the Intune Company Portal infrastructure to move to Microsoft Graph. With this update, by June 30, 2024, admins must migrate classic Conditional Access (CA) to the new policies and disable or delete them for the Company Portal and Intune apps to continue working.


For instructions on migrating these policies, see Migrate from a classic policy - Microsoft Entra ID | Microsoft Learn.


How does this affect you or your users? 

If you are using classic CA policies, you will need to migrate these policies.

Note: Admins must be a Global administrator to delete classic CA policies.


User impact: If you don’t migrate your policies, users won’t be able to enroll new devices via the Company Portal and they won’t be able to make non-compliant devices compliant (if non-compliance is caused by a classic CA policy or a condition within a classic CA policy). This applies to: 

  • Windows Company Portal 
  • Intune Company Portal website 
  • Android Company Portal 
  • Intune app for Android Enterprise 
  • Intune app for Android (AOSP) 
  • iOS Company Portal  
  • macOS Company Portal

Mobile Threat Defense integrations 

There is no impact or action required for classic CA policies previously created for Microsoft Defender for Endpoint or for third-party Mobile Threat Defense scenarios. If you have classic CA policies related to these connectors, there’s no longer a dependency on these connectors and they can be safely deleted. 


Basic Mobility and Security

The following classic CA policies are used for Basic Mobility and Security, and shouldn't be deleted if you are using or planning to use Basic Mobility and Security:


  • [GraphAggregatorService] Device policy
  • [Office 365 Exchange Online] Device policy
  • [Outlook Service for Exchange] Device policy
  • [Office 365 SharePoint Online] Device policy
  • [Outlook Service for OneDrive] Device policy

If you have questions or comments for the Intune team, reply to this post or reach out on X @IntuneSuppTeam.


Post updates

05/07/24: Updated to include a note and CA policies on Mobile Threat Defense integrations.

05/14/24: Updated to include a note on Basic Mobility and Security device policies.

Version history
Last update:
‎May 14 2024 01:33 PM
Updated by: