I have hybrid Azure AD join up and running,
Immediately after hybrid joining, they will get a popup that says "you need to fix your account bla bla bla" when you click that message it takes you the "shared experiences" page with a "Fix Now" button.
when you press that Fix now button, it brings you to a MFA page. Which i really don't want my users to have to do.
Note: I already have a conditional access policy configured to bypass MFA on corp network IPs. that policy is the "user action= register/join devices to azure". But I think this only applies to the actual joining process, not this shared experience mumbo jumbo.
I found this thread:
https://www.reddit.com/r/Intune/comments/ld0z71/are_there_any_impacts_with_enabling_hybrid_azure/
There is a comment that says- posted by u/theonlyredditaccount
" lease note if you have an "All cloud apps require MFA" Conditional Access policy, your users may encounter a "There's a possibility with your work or school account. Click here to fix now" notification - they'll be prompted for MFA and then it'll work. "
I do in fact have a base CA policy set for all cloud apps. I have this because there are quite a few "apps" or functions with azure I want to secure internally with MFA, but there isn't really a separate "app" for some of those functions. for example the "o365 app" in azure does not also control the "Myapps" portal. Took me awhile to figure that out.
So my question is. What "app" would I search for / exclude from this policy so that the user does not get this "shared experiences 'Fix now' " which then requires mfa? Microsoft has no documentation on this, so i have no idea how to prevent this from happening. other than disable the "all cloud apps" CA policy. I really hope the response isn't "this isnt possible" There has to be something that i can exclude from the "all cloud apps" CA policy that will fix this lame shared experiences 'fix now' needing mfa.
Side note: yes i have tried disabling shared experiences. which does in fact get rid of the pop up message, but even with shared experiences turned OFF, when you go to the shared experiences page, the 'Fix now' button is still there. which just makes me nervous that it will break something else unless you 'Fix now" and approve the mfa. Its confusing that the fix now button still appears even though the shared experiences feature is completely disabled.