Forum Discussion
Microsoft Graph Command Line Tools Blocked by CA
Hi All
I hope you are well.
Anyway, I recently turned ON a Conditional Access Policy Template, "Require MDM-enrolled and compliant device to access cloud apps for all users (Preview)" this seems to work fine until our IT Admins try to use the AutoPilot script which gets blocked based on:
Microsoft Graph Command Line Tools
Any ideas on how to allow AutoPilot / Microsoft Graph Command Line Tools through CA?
Info appreciated
Hi, have you figured it out?
I am not 100 percent sure but I do not think it is the same. I see the application as target resource in CA.
When you go to Entra > Enterprise app > you are not able to find Microsoft Graph Command Line Tools ?
Hi buddy
Yes, I think you are correct.
I don't see the Command Line tools listed in Entra. Is there a specific way to add them to Entra?
Info appreciated
The app is probably removed or was never created in the first place. Can you try Connect-MgGraph -Scopes $scopes -TenantId $tenantIdwith an admin account to see if it connects or you run into a consent screen for the Enterprise App (like here: https://learn.microsoft.com/en-us/answers/questions/1619076/microsoft-graph-command-line-tools-enterprise-appl )
Could you also try the tip in the reply in the above mentioned article an try to find the app in the Enterprise app section, with the app id: 14d82eec-204b-4c2f-b7e8-296a70dab67e. Just to rule out some weird search issues with the earlier attempt of locating the app.
How we deal with this is by excluding Microsoft Graph Command Line Tools in your CA Policy in the Target Resource section in the Policy.
After this you can restrict it's use by going to Entra ID portal > Enterprise Application > find the Microsoft Graph Command Line Tools > go to properties > and configure 'Assignment required'. Now only explicitly assigned users can use the App.
excluding Microsoft Graph Command Line Tools in the CA doesn't change anything. It keeps getting blocked by CA despite the exclusion
Yes, that's exactly what we are still experiencing I'm afraid.
Hi Buddy
I don't see Microsoft Graph Command Line Tools listed but did see MS Graph PowerShell, is this the same thing?
Info appreciated
This looks promising, I'll test it, thank you.
StuartK73 Hi, clearly the devices are both compliant and enrolled?
On the Entra ID access logs, what do you see?
- Hi Buddy
These are new, OOBE devices being enrolled by our IT Admin DEM accounts, so they won't be enrolled or compliant yet as that's what we are trying to do, but first, we need to AutoPilot them in to Intune.
This guide states:
" Note
You can enroll your new devices to Intune even if you select Require device to be marked as compliant for All users and All resources (formerly 'All cloud apps') using the previous steps. The Require device to be marked as compliant control does not block Intune enrollment."
Ref: https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-device-compliance
SKStuartK73 You could create a separate, less restrictive Conditional Access policy that applies specifically to device enrollment scenarios
