New Intune App listed?

%3CLINGO-SUB%20id%3D%22lingo-sub-1393568%22%20slang%3D%22en-US%22%3ENew%20Intune%20App%20listed%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1393568%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20everyone%2C%20this%20morning%20I%20noticed%20that%20a%20new%20app%20is%20being%20evaluated%20when%20completing%20Intune%20enrollments%20for%20Android%20Enterprise%20fully%20managed.%20Our%20CA%20policies%20are%20now%20reporting%20the%20following%20app%20when%20users%20first%20authenticate%20using%20Chrome%20during%20the%20device%20enrollment%3A%3C%2FP%3E%3CDIV%20class%3D%22fxc-section-control%20ext-drawer-basic-item%20fxc-base%20msportalfx-customHtml%20msportalfx-form-formelement%20fxc-left-label%22%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3E%3CDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CSTRONG%3EApplication%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%3EMicrosoft%20Intune%20Web%20Company%20Portal%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%3CSTRONG%3EApplication%20ID%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E74bcdadc-2fdc-4bb3-8459-76d06952a0e9%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%3CSTRONG%3EResource%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%3EWindows%20Azure%20Active%20Directory%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%3CSTRONG%3EResource%20ID%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E00000002-0000-0000-c000-000000000000%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EPreviously%2C%20the%20initial%20sign-in%20was%20logged%20as%20this%3A%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CSTRONG%3EApplication%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%3EMicrosoft%20Intune%20Company%20Portal%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%3CSTRONG%3EApplication%20ID%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E9ba1a5c7-f17a-4de9-a1f1-6178c8d51223%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%3CSTRONG%3EResource%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%3EMicrosoft%20Intune%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%3CSTRONG%3EResource%20ID%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E0000000a-0000-0000-c000-000000000000%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EThe%20problem%20is%20that%20we've%20leveraged%20the%20app%20%22Microsoft%20Intune%20Company%20Portal%22%20for%20specific%20inclusions%2Fexclusions%20in%20policies%20and%20the%20new%20%22Microsoft%20Intune%20Web%20Company%20Portal%22%20app%20is%20not%20available%20as%20an%20app%20(I%20checked%20multiple%20AAD%20tenants).%20Has%20anyone%20else%20noticed%20this%3F%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1393568%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1394825%22%20slang%3D%22en-US%22%3ERe%3A%20New%20Intune%20App%20listed%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1394825%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F254026%22%20target%3D%22_blank%22%3E%40eglockling%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EIf%20your%20are%20trying%20to%20exclude%20Conditional%20access%20rules%20that%20require%20MFA%20-%20then%20here%20is%20the%20solution%2C%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EIf%20you%20have%20an%20Azure%20AD%20Conditional%20Access%20policy%20defined%20that%20uses%20the%26nbsp%3B%3C%2FSPAN%3E%3CEM%3Erequire%20a%20device%20to%20be%20marked%20as%20compliant%3C%2FEM%3E%3CSPAN%3E%26nbsp%3BGrant%20control%20or%20a%20Block%20policy%20and%20applies%20to%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EAll%20Cloud%20apps%3C%2FSTRONG%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EAndroid%3C%2FSTRONG%3E%3CSPAN%3E%2C%20and%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EBrowsers%3C%2FSTRONG%3E%3CSPAN%3E%2C%20you%20must%20exclude%20the%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EMicrosoft%20Intune%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3Bcloud%20app%20from%20this%20policy.%20This%20is%20because%20the%20Android%20setup%20process%20uses%20a%20Chrome%20tab%20to%20authenticate%20your%20users%20during%20enrollment.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fenrollment%2Fandroid-fully-managed-enroll%23enable-corporate-owned-user-devices%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fenrollment%2Fandroid-fully-managed-enroll%23enable-corporate-owned-user-devices%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1400477%22%20slang%3D%22en-US%22%3ERe%3A%20New%20Intune%20App%20listed%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1400477%22%20slang%3D%22en-US%22%3EThis%20is%20correct%2C%20but%20we%20are%20already%20excluding%20the%20%E2%80%9CMicrosoft%20Intune%E2%80%9D%20and%20%E2%80%9CMicrosoft%20Intune%20Company%20Portal%E2%80%9D%20cloud%20apps%20from%20the%20policy%20and%20it%20was%20functioning%20as%20expected%20earlier%20this%20year.%20The%20problem%20is%20that%20the%20initial%20authentication%20request%20in%20Chrome%20is%20now%20being%20made%20against%20the%20cloud%20app%20%E2%80%9CMicrosoft%20Intune%20Web%20Company%20Portal%E2%80%9D%2C%20which%20is%20not%20available%20from%20the%20list%20of%20applications%20in%20the%20tenants.%20Any%20other%20suggestions%3F%20I%E2%80%99ve%20already%20opened%20a%20support%20case%20with%20Microsoft%2C%20but%20they%20don%E2%80%99t%20seem%20to%20be%20aware%20of%20the%20application%20yet.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1474201%22%20slang%3D%22en-US%22%3ERe%3A%20New%20Intune%20App%20listed%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1474201%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F254026%22%20target%3D%22_blank%22%3E%40eglockling%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHey%20I%20hope%20you%20are%20doing%20well.%20Did%20you%20ever%20get%20an%20answer%20on%20this%2C%20from%20Microsoft%3F%20We%20are%20trying%20to%20make%20Portal.manage.microft.com%20available%20via%20chrome%20an%20safari.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1477024%22%20slang%3D%22en-US%22%3ERe%3A%20New%20Intune%20App%20listed%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1477024%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F367742%22%20target%3D%22_blank%22%3E%40MaNoCooper%3C%2FA%3E%26nbsp%3B%20Yes%2C%20Microsoft%20confirmed%20that%20this%20was%20not%20the%20expected%20behaviour%2C%20but%20could%20not%20provide%20an%20answer%20on%20why%20a%20different%20unlisted%20cloud%20app%20had%20been%20authenticated%20against.%20After%20the%202003%20Intune%20service%20release%2C%20authentication%20resumed%20using%20the%20%22Microsoft%20Intune%22%20and%20%22Microsoft%20Intune%20Company%20Portal%22%20cloud%20apps%2C%20as%20designed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20cloud%20app%20%22Microsoft%20Intune%20Company%20Portal%22%20is%20used%20for%20portal.manage.microsoft.com%2C%20so%20you%20can%20target%20that%20cloud%20app%20while%20creating%20your%20CA%20policy.%20The%20%22Microsoft%20Intune%22%20cloud%20app%20is%20only%20used%20for%20Android%20Enterprise%20fully%20managed%20and%20dedicated%20devices.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Hey everyone, this morning I noticed that a new app is being evaluated when completing Intune enrollments for Android Enterprise fully managed. Our CA policies are now reporting the following app when users first authenticate using Chrome during the device enrollment:

 
Application
Microsoft Intune Web Company Portal
Application ID
74bcdadc-2fdc-4bb3-8459-76d06952a0e9
Resource
Windows Azure Active Directory
Resource ID
00000002-0000-0000-c000-000000000000
 
Previously, the initial sign-in was logged as this:
 
Application
Microsoft Intune Company Portal
Application ID
9ba1a5c7-f17a-4de9-a1f1-6178c8d51223
Resource
Microsoft Intune
Resource ID
0000000a-0000-0000-c000-000000000000
 
The problem is that we've leveraged the app "Microsoft Intune Company Portal" for specific inclusions/exclusions in policies and the new "Microsoft Intune Web Company Portal" app is not available as an app (I checked multiple AAD tenants). Has anyone else noticed this?
4 Replies

@eglockling

If your are trying to exclude Conditional access rules that require MFA - then here is the solution,

If you have an Azure AD Conditional Access policy defined that uses the require a device to be marked as compliant Grant control or a Block policy and applies to All Cloud appsAndroid, and Browsers, you must exclude the Microsoft Intune cloud app from this policy. This is because the Android setup process uses a Chrome tab to authenticate your users during enrollment.

https://docs.microsoft.com/en-us/mem/intune/enrollment/android-fully-managed-enroll#enable-corporate...

 

This is correct, but we are already excluding the “Microsoft Intune” and “Microsoft Intune Company Portal” cloud apps from the policy and it was functioning as expected earlier this year. The problem is that the initial authentication request in Chrome is now being made against the cloud app “Microsoft Intune Web Company Portal”, which is not available from the list of applications in the tenants. Any other suggestions? I’ve already opened a support case with Microsoft, but they don’t seem to be aware of the application yet.

@eglockling 

Hey I hope you are doing well. Did you ever get an answer on this, from Microsoft? We are trying to make Portal.manage.microft.com available via chrome an safari. 

 

Thanks in advance. 

@Coopem16  Yes, Microsoft confirmed that this was not the expected behaviour, but could not provide an answer on why a different unlisted cloud app had been authenticated against. After the 2003 Intune service release, authentication resumed using the "Microsoft Intune" and "Microsoft Intune Company Portal" cloud apps, as designed.

 

The cloud app "Microsoft Intune Company Portal" is used for portal.manage.microsoft.com, so you can target that cloud app while creating your CA policy. The "Microsoft Intune" cloud app is only used for Android Enterprise fully managed and dedicated devices.