Conditional Access Policy Frustration

Matt Dillon 1,221 Reputation points
2024-01-11T22:37:05.5+00:00

I do what I am asked. I was asked to build a policy that would prevent using Office 365 apps or access to Online apps unless the device was either Entra Registered or Entra Joined. I have this working 99%. The issue is that I cannot enroll new devices into Autopilot because I keep getting blocked by Conditional Access. I know the easy answer is to just add another user to the exception, but I wanted to figure out why it was not working.

Policy is set like this:
Users - Include All Users; Exclude A rarely used Admin Account

Target Resources - Include - Office 365; Exclude Admin Portals, Msft Graph Command Line, Intune, Intune Enrollment, Intune PowerShell

Conditions - Device platforms: Any device; Client apps: All four listed Browser - Other clients; Filter for devices - Exclude trusttype = Microsoft Entra Registered or Entra Joined

Grant - Block Access

On a device not registered in my Entra, I can sign in to the Intune portal with no issue. Sign-in logs shows for Conditional Access: Application - Azure Portal - Not matched - Not Included.

This tells me that the exclude rule for Azure Portal is working.

On a reset device not enrolled or registered anywhere, I start admin PowerShell, install the get-windowsautopilotinfo script and then run it with the -online and get prompted for creds. I enter my account name and then the password and then get denied from Conditional Access. Here is the screenshot of the error I see in the logs:User's image

The only way around this is to exclude the user doing the autopilot enrolment, but I would prefer not to have to do it that way. ANyone have any thoughts if what I need to do is possible?

Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
446 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,365 questions
{count} vote

2 answers

Sort by: Most helpful
  1. Michael Morten Sonne 595 Reputation points MVP
    2024-01-11T22:42:05.3233333+00:00

    Hi Matt,

    Have you excluded the "Microsoft Intune Enrollment" App is this scenario in your Policy? - Edit: I miss that, in your test, sorry..

    1 person found this answer helpful.

  2. ZhoumingDuan-MSFT 14,870 Reputation points Microsoft Vendor
    2024-01-12T05:39:49.47+00:00

    @Matt Dillon,Thanks for posting in Q&A.

    From your description, I know you had problems with Conditional Access policy.

    To narrow down this issue, could you please view the Sign-in logs under Conditional Access, check if there existing some related errors and share it? In Sign-in logs, click one record you want to check, and you can see the activity details, such as Status, Troubleshoot Event and which Conditional Access you have applied. User's image

    Please try above information, if there is any update, feel free to contact me.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.