EvolitBlogContact
Microsoft 365Entra IDIntuneConditional Access

Conditional Access vs Intune enrollment — avoid blocking onboarding

After tightening Conditional Access, Intune enrollment breaks? Diagnose the device-vs-policy conflict and fix it safely with Entra What If.

Scenario

You tighten Conditional Access: Microsoft 365 access only from devices marked compliant or managed by the organization. After rollout, new devices cannot finish Intune enrollment—users see a sign-in loop or a blocked enrollment app message.

Diagnosis

This is the classic chicken-and-egg conflict: the device must enroll to become compliant, but enrollment traffic hits Entra/Intune endpoints already covered by a policy that requires a compliant device first. Onboarding stalls.

Step-by-step remediation

Step 1 — dedicated enrollment policy

  1. Sign in to the Microsoft Entra admin center (at least Conditional Access Administrator).
  2. Open ProtectionConditional AccessPolicies+ New policy.
  3. Name it clearly, e.g. CA-IntuneEnrollment-AllowUnmanaged, so operators know its purpose.

Step 2 — cloud apps

  1. Under AssignmentsUsers, scope a pilot group (avoid broad “All users” until validated).
  2. Target resourcesCloud appsIncludeSelect apps → pick Microsoft Intune Enrollment.

Step 3 — grant controls

  1. Under Grant, choose Grant access, enable MFA per policy, and explicitly do not require compliant or hybrid Entra joined devices for this policy.
  2. Set the policy state to On and save.

Step 4 — What If

  1. Entra → ProtectionConditional AccessWhat If.
  2. Select a pilot user and the Microsoft Intune Enrollment app; confirm the evaluation is not blocked for enrollment.

Step 5 — device validation

  1. On a clean Windows profile, use SettingsAccountsAccess work or schoolConnect and complete enrollment.
  2. In Intune admin centerDevicesMonitorEnrollment failures, verify there are no new CA-related failures.

Rollout hygiene

  • Relax the enrollment path first, then progressively tighten access to production workloads.
  • Maintain an exception register with review dates—exceptions tend to become permanent by accident.
  • Test on factory-reset devices; legacy MDM profiles can skew results.

Post-change verification

After the fix, run onboarding pilots on at least two platforms, review Intune enrollment logs and Entra sign-in logs for unexpected blocks. Only then expand stricter production policies.