Blog Post

Intune Customer Success
2 MIN READ

Support tip: Migrate your classic Conditional Access policies

Intune_Support_Team's avatar
Intune_Support_Team
Icon for Microsoft rankMicrosoft
Apr 19, 2024

Azure Active Directory (Azure AD) Graph has been deprecated since mid-2023 and is in its retirement phase to allow applications time to migrate to Microsoft Graph. As part of our ongoing efforts to prepare for this, we'll be updating the Intune Company Portal infrastructure to move to Microsoft Graph. With this update, by June 30, 2024, admins must migrate classic Conditional Access (CA) to the new policies and disable or delete them for the Company Portal and Intune apps to continue working.

 

For instructions on migrating these policies, see Migrate from a classic policy - Microsoft Entra ID | Microsoft Learn.

 

How does this affect you or your users? 

If you are using classic CA policies, you will need to migrate these policies.

Note: Admins must be a Global administrator to delete classic CA policies.

 

User impact: If you don’t migrate your policies, users won’t be able to enroll new devices via the Company Portal and they won’t be able to make non-compliant devices compliant (if non-compliance is caused by a classic CA policy or a condition within a classic CA policy). This applies to: 

  • Windows Company Portal 
  • Intune Company Portal website 
  • Android Company Portal 
  • Intune app for Android Enterprise 
  • Intune app for Android (AOSP) 
  • iOS Company Portal  
  • macOS Company Portal

Mobile Threat Defense integrations 

There is no impact or action required for classic CA policies previously created for Microsoft Defender for Endpoint or for third-party Mobile Threat Defense scenarios. If you have classic CA policies related to these connectors, there’s no longer a dependency on these connectors and they can be safely deleted. 

 

Basic Mobility and Security

The following classic CA policies are used for Basic Mobility and Security, and shouldn't be deleted if you are using or planning to use Basic Mobility and Security:

 

  • [GraphAggregatorService] Device policy
  • [Office 365 Exchange Online] Device policy
  • [Outlook Service for Exchange] Device policy
  • [Office 365 SharePoint Online] Device policy
  • [Outlook Service for OneDrive] Device policy

If you have questions or comments for the Intune team, reply to this post or reach out on X @IntuneSuppTeam.

 

Post updates

05/07/24: Updated to include a note and CA policies on Mobile Threat Defense integrations.

05/14/24: Updated to include a note on Basic Mobility and Security device policies.

Updated May 14, 2024
Version 4.0
Conditional Access
Intune Company Portal
  • Kazzan's avatar
    Kazzan
    MVP
    Apr 21, 2024

    Hi, can you please clarify which type of Classic Policies need to be migrated?

     

    All or only one targeted to Intune related apps or this requires compliance like "[Office 365 Exchange Online] Device policy"?

     

    Because Defender for Endpoint (MDE/MDATP) and other security connectors seems still rely on legacy CA policy created when connector created like "[Windows Defender ATP] Device policy" which when disabled and deleted broke the connection itself.

     

    For example one of the oldest tenants have these policies enabled:

    • [Office 365 Exchange Online] Device policy
    • [GraphAggregatorService] Device policy
    • [Office 365 SharePoint Online] Device policy
    • [Outlook Service for OneDrive] Device policy
    • [Outlook Service for Exchange] Device policy
    • [Windows Defender ATP] Device policy
  • IndiaYankee's avatar
    IndiaYankee
    Brass Contributor
    Apr 22, 2024

    Hej, I would like to add my question here as well, as I totally agree with the question above:

    Please clarify which type of Classic Policies needs to be migrated. 

  • Paul Schnackenburg's avatar
    Paul Schnackenburg
    Copper Contributor
    Apr 23, 2024

    Couldn't agree more with the posters above - I have several clients with the [Windows Defender ATP] Device policy which "can't be migrated, is important and shouldn't be deleted". (I've already disabled it in one tenant - following the documentation in the link above - turns out you can't turn it back on again). 

    Can Microsoft please clarify what's steps we need to take here? 

  • RichLowe's avatar
    RichLowe
    Copper Contributor
    Apr 23, 2024

    As above please.!

    We also have these 3:

     

    • [Office 365 Exchange Online] Device policy
    • [GraphAggregatorService] Device policy
    • [Office 365 SharePoint Online] Device policy

    Will they be affected?

    thank you

  • owainwtb's avatar
    owainwtb
    Iron Contributor
    Apr 23, 2024

    Paul Schnackenburg, funnily enough I was looking at the article (https://learn.microsoft.com/en-gb/mem/intune/protect/advanced-threat-protection-configure) in relation to the classic [Windows Defender ATP] Device policy on 16/04/2024 and can confirm that it did state "These policies can be ignored, but should not be edited, deleted, or disabled".

    Checking this article today and it now states:

    "As of the August 2023 Intune service release (2308), classic Conditional Access (CA) policies are no longer created for the Microsoft Defender for Endpoint connector. If your tenant has a classic CA policy that was previously created for integration with Microsoft Defender for Endpoint, it can be deleted. To view classic Conditional Access policies, in Azure, go to Microsoft Entra ID > Conditional Access > Classic policies."

     

    The article has a last updated date of 17/04/2024 so must have been changed the day after I looked at it.

     

    So please can Microsoft confirm that it is now ok to delete the [Windows Defender ATP] Device policy?

     

    We also have the following classic policies in our tenant, presumable created by Microsoft integrations as we did not create them:

    • [GraphAggregatorService] Mobile App Management policy
    • [Office 365 SharePoint Online] Mobile App Management policy
    • [Outlook Service for OneDrive] Mobile App Management policy

     

    These look to be related to Intune as well, please can Microsoft confirm if these can now be deleted as well following the updated statement above or do we need to disable them and recreate them as New CA policies - in accordance with the Migrate a classic Conditional Access policy - Microsoft Entra ID | Microsoft Learn documentation?

  • Intune_Support_Team's avatar
    Intune_Support_Team
    Icon for Microsoft rankMicrosoft
    Apr 30, 2024

    Thank you to everyone who provided feedback and comments! As an update - we're currently working with our team to address all the feedback that was shared above, and we'll be updating this blog post and commenting on it as soon as we have more information to share. Thank you for your understanding!

  • Intune_Support_Team's avatar
    Intune_Support_Team
    Icon for Microsoft rankMicrosoft
    May 08, 2024

    Hi there! Following up from our previous update, classic CA policies for Mobile Threat Defense integrations, including Microsoft Defender for Endpoint and third-party scenarios, are now independent of connectors and can be safely removed. Further guidance has been outlined in our post above for additional reference.

  • owainwtb's avatar
    owainwtb
    Iron Contributor
    May 09, 2024

    Thanks for the update confirming that the [Windows Defender ATP] Device policy policy is no longer required and can be safely deleted - supported by the latest update to the Microsoft documentation on this.

     

    Please can you provide more information on what this statement means "Microsoft Defender for Endpoint or for third-party Mobile Threat Defense scenarios".

    For example it would be helpful if you could list what these connectors are, e.g. we have the following:

    • [GraphAggregatorService] Mobile App Management policy
    • [Office 365 SharePoint Online] Mobile App Management policy
    • [Outlook Service for OneDrive] Mobile App Management policy

     

    So are these in scope of the above statement?

    They haven't been created by us so must be have been automatically created by something like Intune as they look related to mobile application management.

    Please can you publish an explicit list of what classic policies would have been automatically created by Microsoft service and what ones can be safely deleted.

    If a policy isn't on this list then we know it needs to be re-created as a new policy.

     

    We need explicit clarity on this as it looks like the confusion is around policies that have been created by Microsoft services, and so need to have confirmation what these are and if they are still relevant.

     

    Thanks

     

    Owain