Conditional Access Policy Not Allowing Users to Access AVD
We have an existing conditional access policy which requires a users' device to be marked as "compliant" in order to access "All Agent Resources". We are trying to deploy an AVD as an alternative to allowing users to use personal devices, but this CA policy seems to be interfering with users being able to access the AVD via Windows App. Yhe device they're accessing from isn't "Compliant" with Intune enrollment being one of the requirements for being compliant. Again, we do not want to allow personal devices into Intune which the MSP allowed previously. For the CA policy it's applied to all users EXCEPT for specific users in an exclusion group. Putting users in this exclusion group allows them to access the AVD via Windows App but at this point they can just access all resources from their personal machine defeating the purpose of the AVD. Target Resources Include All Resources Exclude: The AVD Itself, Windows 365, Azure Virtual Desktop, Azure Windows VM Sign-in Conditions Device Platforms - Windows, MacOS Client apps - Browser, Mobile apps and desktop clients, exchange ActiveSync clients, other clients are checked Grant Access Require MFA and Require device to be marked as compliant are both checked. Access to the AVD works in the browser but not in Windows App.
Cert Based Auth no longer working on Android devices.
Curious as to how wide spread this is/will be. Windows and iOS is fine, only affecting android. You can easily test this by revoking MFA sessions on a user who is using cert based auth on a android phone. I'm not sure if there has been a update recently to Android Microsoft Office apps where it thinks the certs live inside the intune company portal and is not looking for certs in the phones cert store. BYOD work profile Android 14 phones are being problematic, when a user changed their password and Azure revoked their sessions for a reauth, the issue started occurring. I tested this on another user manually revoking their MFA sessions without changing their password same issue occurred. I also setup a brand new Android phone and had the same issue after enrolling it. The issue is when the user opens outlook or teams and goes to sign in, it will pop up asking to use a cert on the device or a physical key. When selecting on the device the phone will freeze it will then eventually say ""company portal isn't responding" with the options of wait or cancel. Opening chrome in the work profile and going to a office app site will popup asking for the cert and works fine. So the issue doesn't appear to be the phone getting the cert, just the Office Apps are not accessing the Phones cert Store. I can confirm the Cert is inside the work profile as a browser or cert viewer app inside the workprofile can see it, auths work fine when using a browser in work profile, just not outlook or teams inside the work profile.
Trying to setup CA rules for Mobile devices.
Hi! I'm stuck with a CA policy setup and could really use some help. What I'm trying to do: Enrolled/Compliant devices (Android/iOS): Full access to everything (all cloud apps, browser, native apps - no restrictions) Unenrolled BYOD devices (Android/iOS): Can ONLY access Teams and Outlook through APP-protected mobile apps (no web access, no other Microsoft services, the app protection policies are already setup) My Current CA Policy Setup: Policy 1: Enrolled Devices - Full Access Target resources: All cloud apps Users: My test user Conditions: Device platforms: Android, iOS Client apps: Browser + Mobile apps and desktop clients (both checked) Grant: Require device to be marked as compliant Policy 2: BYOD - Block Everything Except Teams/Outlook Target resources: All cloud apps Exclude: Office 365 Exchange Online, Microsoft Teams Services, Microsoft Outlook Users: My Test user Conditions: Device platforms: Android, iOS Filter for devices: device.isCompliant -ne True Grant: Block access Policy 3: BYOD - Allow APP-Protected Teams/Outlook Only Target resources: Office 365 Exchange Online Microsoft Teams Services Microsoft Outlook Users: My Test user Conditions: Device platforms: Android, iOS Client apps: Only "Mobile apps and desktop clients" checked (Browser unchecked) Filter for devices: device.isCompliant -ne True Grant: Require app protection policy The Problem: When I am logging in from a unenrolled device into the Outlook or Teams mobile app, they get redirected to a web page and see: "You cannot access this right now" "App Name: Microsoft Intune web company portal" What I've Tried: Adding exclusions for "Microsoft Intune Web Company Portal" (can't find it in the cloud apps list) Searching for "Microsoft Mobile Application Management" (doesn't appear) Searching for "Intune Company Portal" (doesn't show up either) I added Microsoft Intune (which I finally found What I think happens: The issue is that APP enrollment requires accessing the Intune Web Company Portal during authentication, but Policy 2 is blocking it. I need to exclude this service from the blocking policy, but I can't find the right app to exclude. Questions: What's the correct cloud app name/ID I need to exclude to allow APP enrollment to work? Is there a better way to structure these policies to avoid this issue? Any help would be greatly appreciated!Microsoft Intune Company Portal for Linux and Conditional Access Issue
Greetings everyone, I have the following scenario implemented regarding conditional access: Rule#1: For pilotuser1, for all cloud apps, for all platforms --> require MFA Rule#2: For pilotuser1, for all cloud apps except Microsoft Intune Enrollment and Microsoft Intune, for all platforms --> Require Device marked as compliant This should allow me to enroll to Intune successfully a non-enrolled device and require the device compliance for the other workloads. For Windows it works just fine. The problem lies with Linux. Following the instructions on Enroll a Linux device in Intune | Microsoft Learn & Get the Microsoft Intune app for Linux | Microsoft Learn I installed Intune App and Edge (Version 109.0.1518.52 (Official build) (64-bit)) on a VM with Ubuntu 22.04. I open the Intune App and try to sign in: First step is to Register the Device on Azure AD, it goes without a problem --> On the next stage I get the following and press continue: At this stage Microsoft Edge opens and I sign in successfully but the Intune App throws an error: The sign in logs on Azure AD show that even though I excluded Intune Enrollment from the CA policy, it is not enough. Sign-in error code: 530003 Failure reason: Your device is required to be managed to access this resource. Additional Details: The requested resource can only be accessed using a compliant device. The user is either using a device not managed by a Mobile-Device-Management (MDM) agent like Intune, or it's using an application that doesn't support device authentication. The user could enroll their devices with an approved MDM provider, or use a different app to sign in, or find the app vendor and ask them to update their app. More details available at https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-device-remediation Application: Microsoft Intune Company Portal for Linux Application ID: b743a22d-6705-4147-8670-d92fa515ee2b Resource : Microsoft Graph Resource ID: 00000003-0000-0000-c000-000000000000 Client app: Mobile Apps and Desktop clients Client credential type: None Resource service principal ID: 01989347-a263-48ef-a8d7-583ee83db9a2 Token issuer type: Azure AD Apparently something is different in the enrollment process of Linux because I had no issues with Windows 10 enrollment . Any thoughts on the subject would be appreciated. Kind Regards, Panos
Conditional Access and -Online Device registration error
So there was an Issue creating new discussions yesterday and I ended up with a discussion with Heading only. :) We're using the Get-WindowsAutopilotInfo.ps1 script with the -Online switch to register our Entra Joined Devices, and the process is being blocked by Conditional Access. The sign-in logs point to Microsoft Graph Command Line Tools (App ID: 14d82eec-204b-4c2f-b7e8-296a70dab67e) as the blocker. Microsoft Support suggested whitelisting several apps, but unfortunately, that hasn’t resolved the issue—likely because the device doesn’t have the compliant state during online registration. We’re currently evaluating whether a dedicated service account with scoped permissions for Autopilot enrollment might be a workaround. Would be great to hear if anyone else has found a reliable solution.
Edge Mobile prompting users to Allow opening app using Custom URI Scheme
Somewhat recently, perhaps with release of IOS 26, Microsoft Edge began prompting users to "Allow" or "Don't allow" a site to open another application when using a Custom URI Scheme. This causes an unnecessary step in our user's authentication process especially when Conditional Access policies are enabled as Edge must be used to pass the CA conditions. This occurs even when the custom-intunemam:// scheme is used to open the Intune enabled application from Edge. I am wondering if there is an Edge Mobile - Intune configuration/setting that we could configure to bypass the prompt. Thanks!
How to foce intune client in Ubuntu to synch automatically
Hello, in my company we have enrolled Devs Ubuntu devices to control some security setting and allow or not the access to our company apps and content. We have set compliance policies and enabled conditional access to check its. i have been surprised this morning by the last checking date of my Ubuntu laptops and ask my Devs of last signin in company portal client and the date match with the last checking date. I concluded, the company portal is synching only when the user open it and signin. This is a big problem for us because we are certified ISO27001 and we must check all devices compliance. Somebody has a script to deploy on those ubuntu devices and force a synch every day waiting for a Microsoft evolution of this process. Thanks a lot and regards Majid
