Microsoft Intune Enrollment Service in Azure Conditional Access
Updated: May 11, 2020
Most companies want to prevent external access to Office 365 outside of their corporate network, but typically exclude mobile device access for email from this policy. With Azure Conditional Access, it is easy to control access based on location, but to extend this further Intune device policies can ensure devices are enrolled and compliant with company policy before allowing access.
Let's assume the following scenario:
External access for all users should be blocked by default
Mobile devices are allowed to access email but must be enrolled with Intune
This would seem to be a very simple configuration but the way Azure presents Conditional Access services and apps is very misleading. Let's take a look how you might initially try to set this up.
If we block all access then un-enrolled devices will not be able to enroll with Intune to become compliant. So our first rule may look something like this:
Here we scope the policy to select all cloud apps but explicitly exclude the Microsoft Intune Enrollment service.
Looking simply at these settings you would think that this scope would allow us to set the policy to Block access and therefore prevent authentication to everything other the the Microsoft Intune Enrollment service so that we could enroll a mobile device. But if you actually try to test this configuration by downloading the Intune Company Portal app and trying to sign-in, you'll be presented with the conditional access message that you are being blocked.
If we are excluding the Microsoft Intune Enrollment service why would this policy still be blocking access to the Intune Company Portal app being used to enroll our device?
The answer is that a combination of Microsoft poorly naming the Microsoft Intune Enrollment cloud app and not exposing all services in conditional access policy configuration.
The Microsoft Intune Enrollment cloud app is the service that enables the use of Azure Mutli-Factor Authentication for use by device enrollment. This service was originally introduced to add an additional layer of security to ensure devices being enrolled were not granting additional access to resources that leveraged the device registration as a form of authentication. For more details, refer to the following links:
To enroll a device we need to access the Intune Device Enrollment service, which is not exposed in Azure to be used by conditional access policies. In fact, there can be many services that are not exposed in Azure to be used by conditional access, especially if you have custom or third-party apps integrated.
After speaking with a Microsoft Intune product engineer, the recommended practice is to never use an Include:All Cloud Apps scope for any block policy. The only exception to this would be if you wanted to block absolutely everything with no exceptions.
So how do we then modify our rule to block access except for device enrollment? We need to modify the scope of the rule to apply to every cloud app except Microsoft Intune Enrollment. Yes, that sounds exactly like what we already have configured, but we have to explicitly select each individual cloud app an not the Microsoft Intune Enrollment app in the Include portion of the rule.
By individually selecting each cloud app we don't actually select any of the underlying dependent services or unexposed services that aren't used for general access to Office 365. The downside to this approach is that as new services and apps are added into Azure, they will not be automatically included in the policy. This could potentially open the door for access to future services unless you stay on top of the feature update announcements from Microsoft of review the policy regularly.