This article is contributed. See the original author and article here.

By Wayne Bennett – Sr Program Manager | Microsoft Endpoint Manager – Intune


 


Using Microsoft Endpoint Manager – Microsoft Intune to set your company’s terms and conditions meets the requirements of many organizations. However, the Azure Active Directory (Azure AD) terms of use feature offers greater functionality— including terms of use in different languages and integration with Conditional Access in the form of grant controls. You can learn more about the differences between the two solutions in this blog post.


 


Potential to block access to Intune


If you’ve configured the Azure AD terms of use solution and set a grant control to require users to accept terms of use in your Conditional Access policy, you need to be aware of a configuration scenario that might unintentionally block access for your users when they try to enroll into Intune.


 


Typical configuration


When creating an Azure AD terms of use policy, you have the option to select Require users to consent on every device. If you choose this setting, you will see the Consent on every device will require users to register each device with Azure AD prior to getting access warning. Once saved, you are unable to change this setting.


 


Example screenshot to register each device with Azure AD prior to getting access in a Conditional Access policyExample screenshot to register each device with Azure AD prior to getting access in a Conditional Access policy


 


After you create the terms of use policy, the next step is to create a Conditional Access policy. As shown in the following example, many organizations will target All Cloud Apps without configuring any exclusions.


 


Example screenshot of targeting All cloud apps in a Conditional Access policyExample screenshot of targeting All cloud apps in a Conditional Access policy


 


Additionally, many organizations will select Require device to be marked as compliant grant controls and require users to accept the Azure AD terms of use policy.


 


Example screenshot of configuring both the "Require device to be marked as compliant" and "Terms of Use" policies under the Grant controlExample screenshot of configuring both the “Require device to be marked as compliant” and “Terms of Use” policies under the Grant control


 


Blocking enrollment issue


The combination of Azure AD terms of use requiring users to consent on every device, Conditional Access policy targeting All Cloud Apps, and the control requiring the user to accept the Azure AD terms of use results in the following unintended behaviour during the Intune enrollment process:



  • Once the user has authenticated in the Company Portal, prior to Azure AD terms of use appearing, the Help us keep your device secure message will appear. The user will be prompted to install the Microsoft Authenticator app, Conditional Access controls will begin a continuous registration cycle, and the user will be unable to complete enrollment.


 


The issue is caused by selecting Require users to consent on every device, requiring users to register each device with Azure AD prior to getting access, as per the warning, when creating the terms of use policy.


 


Example screenshot of the "Help us keep your device secure" messageExample screenshot of the “Help us keep your device secure” message


 


Prevent Intune enrollment from being blocked


There are two methods to keep the enrollment blocking scenario from occurring:


 


Method 1: The Terms of use dialog


The first method is to ensure that Require users to consent on every device in the Terms of use dialog remains at the default Off setting when creating the Azure AD terms of use policy.


 


Note


Once the Azure AD terms of use policy is created, it is not possible to edit the Require users to consent on every device setting. You must create and target a new terms of use policy in the Conditional Access policy.


 


Method 2: Exclude cloud apps


The second method is to exclude certain cloud apps from Conditional Access targeting. The Per-device terms of use section of the Azure Active Directory terms of use documentation states that “The Intune Enrollment app is not supported. Ensure that it is excluded from any Conditional Access policy requiring Terms of Use policy.” However, excluding the Microsoft Intune Enrollment cloud app is not sufficient— as the example below shows, you must also exclude the Microsoft Intune cloud app.


 


Example screenshot of excluding "Microsoft Intune" and "Microsoft Intune Enrollment" from the Cloud apps or actions listExample screenshot of excluding “Microsoft Intune” and “Microsoft Intune Enrollment” from the Cloud apps or actions list


 


Conclusion


Changing your configuration using either of the suggested methods will prevent the Intune enrollment blocking scenario. Before you make any change, be sure to evaluate the settings so you don’t impact any existing Conditional Access requirements.


 


More info and feedback


For further resources on this subject, please see the links below.


 


Plan an Azure Active Directory Conditional Access Deployment


Troubleshoot Conditional Access using the What If tool


What is Microsoft Intune


Conditional Access require terms of use


Cloud apps or actions in Conditional Access policy


Device compliance policies in Microsoft Intune


 


Let us know if you have any additional questions by replying to this post or reaching out to @IntuneSuppTeam  on Twitter.

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.