User Profile

Abdullah_Ollivierre

Copper Contributor

Joined 3 years ago

11 Posts5 Likes

View All Badges

User Widgets

Recent Discussions

Conditional Access Policy Loop with Edge on BYOD Devices – Need Help!
Body: Hello Tech Community, I’m facing an issue with an Azure AD Conditional Access Policy that seems to be causing a loop when users access Office 365 resources using Microsoft Edge on Windows 11 24H2 BYOD devices. Here’s the scenario: Problem: The policy is titled "Require App Protection Policy for Edge on Windows for All Users when Browser and Non-Compliant-v1.0" and continuously prompts users to switch profiles in Edge. These devices are BYOD and intentionally excluded from full Intune management (non-compliant by design). However, Edge repeatedly requests authentication or profile switching, creating a frustrating experience. Policy Details: Applies to: Windows devices using browsers (primarily Edge). Excludes: Compliant devices or those with trustType = ServerAD. Includes: Office 365 applications. Excludes Groups: Certain groups that should bypass the policy. What I’ve Tried: Verified device compliance status in Azure AD and Intune. Checked Azure AD Sign-In Logs for errors or repetitive authentications. Cleared Edge browser cache and cookies. Ensured Edge is configured to use Windows sign-in information. Adjusted the App Protection Policy settings for Edge. Questions: Could this be an issue with how Edge handles profile authentication in Conditional Access scenarios? How can I ensure that BYOD devices remain excluded from full Intune management but still work seamlessly with this policy? Are there specific adjustments I can make to the Conditional Access or App Protection Policy to avoid these loops? Additional Context: My goal is to secure access using App Protection Policies (MAM) for BYOD scenarios without requiring full device enrollment in Intune. Any insights, suggestions, or similar experiences would be greatly appreciated! Thank you in advance for your help!
Jan 10, 2025 Place Microsoft Intune
Azure Friday
Conditional Access
Intune
Mobile Application Management (MAM)
583Views
2likes
3Comments
Re: Allow Polycom models to be enrolled but block other personally owned Android devices.
If you can group them in a Dynamic Device group based on a certain attribute then yes you can then target your policies to this Dynamic Device group (syntax based on the attribute that identifies these as Polycom) to find the attribute look into Entra or the Graph API or see the list of available attributes when creating a Dynamic Device group.
Oct 05, 2023 Place Microsoft Intune
2.9KViews
0likes
1Comment
Re: How do remediation scripts handle missed schedules?
Good question I would think in theory they should work like scheduled tasks and catch up right away on missed schedules tylermontney_acc
Oct 05, 2023 Place Microsoft Intune
864Views
1like
0Comments
Re: Linking local admin account to Intune / AD
so the process of Azure AD connect works only from on-premises to cloud. Whilst it is capable of things like password write back and device writeback, you cannot create users in Azure AD and sync them back to on-premises AD
Sep 26, 2023 Place Microsoft Intune
7.5KViews
1like
2Comments
Re: Linking local admin account to Intune / AD
wait a sec.. "Enable Azure AD Connect to synchronize the new user account to your on-premises Active Directory." can AAD Connect sync a cloud-only user back to on-prem ?
Sep 26, 2023 Place Microsoft Intune
7.4KViews
0likes
0Comments
Re: Detection and Remediation Script in Intune
Why not simply use WUfB to restart the machine ? Update Rings > Deadline settings are good for that, no ?
Sep 26, 2023 Place Microsoft Intune
2.4KViews
0likes
0Comments
Re: Intune - Encrypt drive by Bitlocker - Error Failed to enable Silent Encryption
65000 errors are reporting bug related and can be ignored. It's annoying but harmless JulianAF2380
Sep 26, 2023 Place Microsoft Intune
4.1KViews
0likes
1Comment
Re: The security database on the server does not have a computer account for this workstation trust..
This was the answer for me the AD object for the computer existed on DC0 and did NOT exist in DC1 or DC2 !!!!!!!!!!! so I ran repadmin /syncall /AdeP on DC0 and now there is a computer object replicated to DC1 and DC2. In other words the computer used DC0 for the domain join but was trying to use DC1/DC2 for the auth so because the AD object for the computer did not exist in DC1/DC2 the auth was failing and the force replication command worked liked a charm. Now we need to figure out why the replication is not working in the first place. Mohammed Ullah
Sep 06, 2023 Place Windows Server for IT Pro
434KViews
0likes
0Comments
Re: Office 365 Groups & Spam
Thank you! This worked for me and it "clicked" right away because that's what we do already with shared mailboxes.
Aug 21, 2023 Place Microsoft 365
3KViews
1like
0Comments
Re: "We can't setup the conversation because your organizations are not setup to talk to each other"
Joe McGowan The PowerShell cmdlets mentioned here were certainly helpful (using the Microsoft Teams PowerShell module --not the Skype for Business PowerShell module--) I fixed this by adding the domain to the allowed list of domains in the Teams Admin center then waited for 10-15 minutes. I was now able to collaborate with users outside our tenant.
Apr 13, 2023 Place Microsoft Teams
5.5KViews
0likes
0Comments
Re: External contact have upgraded to "Teams Only" mode but still show up as a SfB contact
ParLinderoth fixed after using the M365 admin center diagnostics tool. TLDR user had an external access policy different from every one else Yes that was the issue. This user had the NoFederationAndPIC value set to their ExternalAccessPolicy Fixed with Grant-CsExternalAccessPolicy -Identity $UserPrincipalName -PolicyName $Policy.Identity (edited) Now they are showing in Teams as Teams when looked up externally from another Teams tenant Here is the PowerShell script/magic to fix this external access policy # The external access policy granted to the user does not allow the user to communicate ... # To enable the user to communicate with external users, do the following: # Connect to Skype for Business remote PowerShell console to manage your Teams environment. For detailed steps, see Manage Skype for Business Online with PowerShell. # Run the PowerShell command Get-CsExternalAccessPolicy to locate an external access policy where the parameter EnableFederationAccess is set to 'true'. # Run the PowerShell command Grant-CsExternalAccessPolicy to grant the external access policy found in the above step to the user. # For more information regarding the Teams federation configuration, see Manage external access in Microsoft Teams. Install-Module -Name MicrosoftTeams function Grant-TeamsExternalAccessPolicy { param ( [Parameter(Mandatory=$true)] [string]$UserName, [Parameter(Mandatory=$true)] [string]$Password, [Parameter(Mandatory=$true)] [string]$UserPrincipalName ) function Write-Log { param ( [string]$Message, [string]$Color = "White" ) Write-Host "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') - $Message" -ForegroundColor $Color } # Import Teams module Write-Log "Importing Teams module..." -Color Yellow Import-Module MicrosoftTeams # Connect to tenant Write-Log "Connecting to tenant..." -Color Yellow $SecurePassword = ConvertTo-SecureString -String $Password -AsPlainText -Force $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $UserName, $SecurePassword Connect-MicrosoftTeams -Credential $Credential # Find an external access policy with EnableFederationAccess set to true Write-Log "Searching for an external access policy with EnableFederationAccess set to 'true'..." -Color Yellow $Policy = Get-CsExternalAccessPolicy | Where-Object { $_.EnableFederationAccess -eq $true } | Select-Object -First 1 if ($Policy) { Write-Log "Found policy: $($Policy.Identity)" -Color Green Write-Log "Granting policy to user '$UserPrincipalName'..." -Color Yellow # Grant the external access policy to the user Grant-CsExternalAccessPolicy -Identity $UserPrincipalName -PolicyName $Policy.Identity Write-Log "Policy granted successfully." -Color Green # Verify the granted policy Write-Log "Verifying the granted policy..." -Color Yellow $UserPolicy = Get-CsOnlineUser -Identity $UserPrincipalName # $DBG $UserPolicy = Get-CsOnlineUser -Identity $UserPrincipalName | Select-Object -ExpandProperty ExternalAccessPolicy if ($UserPolicy -eq $Policy.Identity) { Write-Log "The policy '$($Policy.Identity)' has been successfully granted to the user '$UserPrincipalName'." -Color Green } else { Write-Log "The policy grant verification failed. Please check the user's policy settings." -Color Red } } else { Write-Log "No external access policy with EnableFederationAccess set to 'true' was found." -Color Red } # Cleanup Write-Log "Disconnecting from tenant..." -Color Yellow # Disconnect-MicrosoftTeams } Grant-TeamsExternalAccessPolicy -UserName "email address removed for privacy reasons" -Password "YOUR GLOBAL ADMIN PASSWORD" -UserPrincipalName "email address removed for privacy reasons" more details https://learn.microsoft.com/en-us/skypeforbusiness/set-up-policies-in-your-organization/create-custom-external-access-policies even clearing cache for Teams by removing the folder called Teams from appdata did not help https://www.uvm.edu/it/kb/article/clearing-teams-cache/
Apr 12, 2023 Place Microsoft Teams
3.6KViews
0likes
0Comments

Recent Blog Articles

No content to show