This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I do what I am asked. I was asked to build a policy that would prevent using Office 365 apps or access to Online apps unless the device was either Entra Registered or Entra Joined. I have this working 99%. The issue is that I cannot enroll new devices into Autopilot because I keep getting blocked by Conditional Access. I know the easy answer is to just add another user to the exception, but I wanted to figure out why it was not working.
Policy is set like this:
Users - Include All Users; Exclude A rarely used Admin Account
Target Resources - Include - Office 365; Exclude Admin Portals, Msft Graph Command Line, Intune, Intune Enrollment, Intune PowerShell
Conditions - Device platforms: Any device; Client apps: All four listed Browser - Other clients; Filter for devices - Exclude trusttype = Microsoft Entra Registered or Entra Joined
Grant - Block Access
On a device not registered in my Entra, I can sign in to the Intune portal with no issue. Sign-in logs shows for Conditional Access: Application - Azure Portal - Not matched - Not Included.
This tells me that the exclude rule for Azure Portal is working.
On a reset device not enrolled or registered anywhere, I start admin PowerShell, install the get-windowsautopilotinfo script and then run it with the -online and get prompted for creds. I enter my account name and then the password and then get denied from Conditional Access. Here is the screenshot of the error I see in the logs:
The only way around this is to exclude the user doing the autopilot enrolment, but I would prefer not to have to do it that way. ANyone have any thoughts if what I need to do is possible?
Hi Matt,
Have you excluded the "Microsoft Intune Enrollment" App is this scenario in your Policy? - Edit: I miss that, in your test, sorry..
Yes All excludes are here:
Target Resources - Include - Office 365; Exclude Admin Portals, Msft Graph Command Line, Intune, Intune Enrollment, Intune PowerShell
The error almost tells me that the Graph is part of Office 365 and there no way around it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 35%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZM%3C/text%3E%3C/svg%3E)
@Matt Dillon,Thanks for posting in Q&A.
From your description, I know you had problems with Conditional Access policy.
To narrow down this issue, could you please view the Sign-in logs under Conditional Access, check if there existing some related errors and share it? In Sign-in logs, click one record you want to check, and you can see the activity details, such as Status, Troubleshoot Event and which Conditional Access you have applied.
Please try above information, if there is any update, feel free to contact me.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I have posted the results in my initial question. Is there something else you would want to see?
I excluded Azure Portal and here are the screenshots for that:
For the autopilot enrollment script here is the other details not posted earlier:
@Matt Dillon,Thanks for your update.
Based on my researching, if you want to access some resources without issue, you should exclude the Resource instead of the Application under Target Resources, to solve this issue, please exclude Microsoft Graph and Windows Azure Service Management API under Target Resources.
If there is any update, feel free to let me know.
@Matt Dillon,Hope things going well. May I know the status from your side? If there is any update, feel free to contact me.
@Matt Dillon,Hope you have a nice day.
I am currently standing by for further update from you and would like to know how things are going. If you have any questions or concerns on the recent information I've provided you, please don't hesitate to let me know.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 60%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHM%3C/text%3E%3C/svg%3E)
I have the same issue, what do you mean by excluding the target resources instead of application?