Trying to setup CA rules for Mobile devices.
Hi! I'm stuck with a CA policy setup and could really use some help. What I'm trying to do: Enrolled/Compliant devices (Android/iOS): Full access to everything (all cloud apps, browser, native apps - no restrictions) Unenrolled BYOD devices (Android/iOS): Can ONLY access Teams and Outlook through APP-protected mobile apps (no web access, no other Microsoft services, the app protection policies are already setup) My Current CA Policy Setup: Policy 1: Enrolled Devices - Full Access Target resources: All cloud apps Users: My test user Conditions: Device platforms: Android, iOS Client apps: Browser + Mobile apps and desktop clients (both checked) Grant: Require device to be marked as compliant Policy 2: BYOD - Block Everything Except Teams/Outlook Target resources: All cloud apps Exclude: Office 365 Exchange Online, Microsoft Teams Services, Microsoft Outlook Users: My Test user Conditions: Device platforms: Android, iOS Filter for devices: device.isCompliant -ne True Grant: Block access Policy 3: BYOD - Allow APP-Protected Teams/Outlook Only Target resources: Office 365 Exchange Online Microsoft Teams Services Microsoft Outlook Users: My Test user Conditions: Device platforms: Android, iOS Client apps: Only "Mobile apps and desktop clients" checked (Browser unchecked) Filter for devices: device.isCompliant -ne True Grant: Require app protection policy The Problem: When I am logging in from a unenrolled device into the Outlook or Teams mobile app, they get redirected to a web page and see: "You cannot access this right now" "App Name: Microsoft Intune web company portal" What I've Tried: Adding exclusions for "Microsoft Intune Web Company Portal" (can't find it in the cloud apps list) Searching for "Microsoft Mobile Application Management" (doesn't appear) Searching for "Intune Company Portal" (doesn't show up either) I added Microsoft Intune (which I finally found What I think happens: The issue is that APP enrollment requires accessing the Intune Web Company Portal during authentication, but Policy 2 is blocking it. I need to exclude this service from the blocking policy, but I can't find the right app to exclude. Questions: What's the correct cloud app name/ID I need to exclude to allow APP enrollment to work? Is there a better way to structure these policies to avoid this issue? Any help would be greatly appreciated!
Microsoft Intune Company Portal for Linux and Conditional Access Issue
Greetings everyone, I have the following scenario implemented regarding conditional access: Rule#1: For pilotuser1, for all cloud apps, for all platforms --> require MFA Rule#2: For pilotuser1, for all cloud apps except Microsoft Intune Enrollment and Microsoft Intune, for all platforms --> Require Device marked as compliant This should allow me to enroll to Intune successfully a non-enrolled device and require the device compliance for the other workloads. For Windows it works just fine. The problem lies with Linux. Following the instructions on Enroll a Linux device in Intune | Microsoft Learn & Get the Microsoft Intune app for Linux | Microsoft Learn I installed Intune App and Edge (Version 109.0.1518.52 (Official build) (64-bit)) on a VM with Ubuntu 22.04. I open the Intune App and try to sign in: First step is to Register the Device on Azure AD, it goes without a problem --> On the next stage I get the following and press continue: At this stage Microsoft Edge opens and I sign in successfully but the Intune App throws an error: The sign in logs on Azure AD show that even though I excluded Intune Enrollment from the CA policy, it is not enough. Sign-in error code: 530003 Failure reason: Your device is required to be managed to access this resource. Additional Details: The requested resource can only be accessed using a compliant device. The user is either using a device not managed by a Mobile-Device-Management (MDM) agent like Intune, or it's using an application that doesn't support device authentication. The user could enroll their devices with an approved MDM provider, or use a different app to sign in, or find the app vendor and ask them to update their app. More details available at https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-device-remediation Application: Microsoft Intune Company Portal for Linux Application ID: b743a22d-6705-4147-8670-d92fa515ee2b Resource : Microsoft Graph Resource ID: 00000003-0000-0000-c000-000000000000 Client app: Mobile Apps and Desktop clients Client credential type: None Resource service principal ID: 01989347-a263-48ef-a8d7-583ee83db9a2 Token issuer type: Azure AD Apparently something is different in the enrollment process of Linux because I had no issues with Windows 10 enrollment . Any thoughts on the subject would be appreciated. Kind Regards, PanosEntra Verified ID: CAP Preview Feature to require Face Check
During one of the MS demo video, I saw a preview feature for Conditional Access Policy to require "Face Check". I have now enabled Entra Verified ID and also switched on Face Check. When I create a new CAP, I do not see the "Require Face Check" option under the Grant. How can I request to have this feature released to my tenant? Thanks!
Conditional Access and -Online Device registration error
So there was an Issue creating new discussions yesterday and I ended up with a discussion with Heading only. :) We're using the Get-WindowsAutopilotInfo.ps1 script with the -Online switch to register our Entra Joined Devices, and the process is being blocked by Conditional Access. The sign-in logs point to Microsoft Graph Command Line Tools (App ID: 14d82eec-204b-4c2f-b7e8-296a70dab67e) as the blocker. Microsoft Support suggested whitelisting several apps, but unfortunately, that hasn’t resolved the issue—likely because the device doesn’t have the compliant state during online registration. We’re currently evaluating whether a dedicated service account with scoped permissions for Autopilot enrollment might be a workaround. Would be great to hear if anyone else has found a reliable solution.Stolen session token from Edge
We can steal the session token from Edge using tools like Burp Suite or Fiddler to intercept proxy traffic on the mobile phone, even when the Edge is MAM protected by Intune. This makes the Edge browser unsafe to use for Enterprise Applications on personal mobile. Recently I discovered that the https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-token-protection in Conditional Access Policy. However it is only available for Windows. I am wondering if anyone knows when it would become available for mobile on Entra roadmap. Also, if you know any Edge configuration, I could use to stop Token Theft, please let me know! Thank you everyone."sign-in frequency" every time not working as expected and described.
We have several PIM managed groups in an Entra ID tenant. Members are added as eligible. For the activation of the memberships an Authentication Context is created which is linked to a conditional access policy. The conditional access policy requires MFA with phishing resistant authentication factors, and "sign in frequency" is set to "every time". When activating membership authentication is required. When activating membership to another group (>5min in between activations) one would expect to request an authentication prompt, as described in Microsoft documentation. In Firefox this works as expected, In Edge and Chrome there is no re-authentication required every time, and sometimes even not for the first activation, not even in an in-private session. The device is not joined to this tenant, and the account used to log on is different from the one used to logon to the Entra ID portal. This is a test tenant with only those CA rules configured, no other policies or rules are in place. Anyone experiencing the same, or knowing the cause?
Edge Mobile prompting users to Allow opening app using Custom URI Scheme
Somewhat recently, perhaps with release of IOS 26, Microsoft Edge began prompting users to "Allow" or "Don't allow" a site to open another application when using a Custom URI Scheme. This causes an unnecessary step in our user's authentication process especially when Conditional Access policies are enabled as Edge must be used to pass the CA conditions. This occurs even when the custom-intunemam:// scheme is used to open the Intune enabled application from Edge. I am wondering if there is an Edge Mobile - Intune configuration/setting that we could configure to bypass the prompt. Thanks!
