This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 34%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELA%3C/text%3E%3C/svg%3E)
I am using the enrollment profile Setup Assistant with modern authentication. It works but the user has to manually open up the Company Portal app and sign in to make the device compliant. With this enrollment policy it doesn't force the user to sign in to company portal. I want to make it where if the user clicks on the Outlook app, Company portal opens up first and force the user to sign in then it opens the Outlook app.
I am looking at App based Conditional access. I am at the part of Cloud apps or action and in select the app. Do I select Office 365 Exchange?
In the Conditions in Device Platform I selected IOS and Client apps I selected Browser and Mobile apps and Desktop
What do I select for Access Control and Sessions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Louie, Andy (TIS) , Thanks for the reply. For app-based Conditional Access, it will redirect to broken app. For iOS it is Microsoft Authenticator. Here is a link for the reference:
https://learn.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune
If we want to try, for the cloud app for email access, I think it can be "office 365" or "Exchange Online".
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps
For the Grant field, we can configure "Require approved client app" and "Require app protection policy".
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant
Thanks for the understanding and have a nice day!
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello based on this article here it says
https://techcommunity.microsoft.com/t5/intune-customer-success/setup-assistant-with-modern-authentication-for-ade-intune-public/ba-p/2279061
Company Portal Redirection
A new improvement we’ve made to our onboarding experience helps guide users to complete that second Azure AD authentication by automatically redirecting to the iOS/iPadOS Company Portal when the user attempts to access corporate data.
If users open any managed iOS/iPadOS applications that are protected by Conditional Access and they haven't completed the additional Azure AD sign in to the iOS/iPadOS Company Portal, they will be redirected to the Company Portal from those other apps as part of this new change. This way, users are guided to complete that last step before they can access resources protected by Conditional Access.
But the article doesn't give me the instructions how to do this?
@Louie, Andy (TIS) . Thanks for letting me know this. I will modify my previous reply.
In the blog, it mentioned that open any managed iOS/iPadOS applications that are protected by Conditional Access. It will do redirection. Here we can configure as below:
Assignment: choose the user group we want to test.
Cloud app select "office 365". which include exchange online.
Conditions, we can set device platform as iOS Client apps as "Modern authentication clients" .
Access control: choose grant and select "Require approved client app" and "Require app protection policy",
https://learn.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune-create
we can configure this to test if can make the redirection. Hope it can help.
@Louie, Andy (TIS) . Hope things are going well. If there's any update, feel free to let us know.
Hello I created the Conditional Access Policy
for the Cloud app I choose Office 365.
For Conditions I choose in Device Platform I choose IOS. But in the section Client apps in Conditions what do I choose for Modern authentication clients the only choices I have are Browser, Mobile apps and Desktop clients, another section Legacy authentication clients-which is exchange ActiveSync clients, other clients.
As a test I clicked on Mobile apps in the Modern authetication clients section and open up Outlook, it didn't direct my to company portal to sign in it redirected me to download the authenicator app from Microsoft. Since this is a managed device in I thought I wouldn't the Microsoft Authenicator app.
@Louie, Andy (TIS) . For the managed device, is it a device which is already enrolled?
yes for my testing this is a ADE device that I factory wiped and enrolled it using Enrollment profile Setup assistant with Modern authenication, this is a managed device. I didn't make any App protection policy just FYI.
@Louie, Andy (TIS) , For the authentication method: Setup Assistant with modern authentication, users are required to authenticate with their Azure AD credentials twice during the enrollment, For the company portal redirection, it occurs during the enrollment when user open a managed application protected by Conditional access before the second Azure AD authentication. Could you confirm if we open the managed app before the second authentication?
Meanwhile, could you let us know if we only select "required approved client app" under Access control?
Hello I opened up the Outlook app, and this Outlook is a managed application. I already have a conditional access including in this screen shot that blocks the user from using the Native Apple E-mail account and forces the user to open up Outlook. I clicked on Outlook and it doesn't do the redirection. During the Setup Assistant I did login to with my test e-mail account to authenicate, but after that when I click on Outlook it doesn't do the re-direction.
@Louie, Andy (TIS) ,, Thanks for the detailed description. From your description, it seems the redirection is still not happen before the second Azure AD authentication. Here i have done more research. After researching, I find in the following article it mentioned to configure "Require device to be marked as compliant" . Maybe we can try to set it in Conditional access to see if the redirection can happen:
