A Conditional Access Policy in Entra ID which only require a compliant device can be bypassed using Intune Portal client.
Note that any other Conditional Access Policies and conditions you’ve configured in your tenant will still apply!
Update February 2024: Microsoft changed the pre-consented scopes on the Azure AD Graph API (user_impersonation --> Service_PrincipalEndpoint.Read.All,User.Read). Therefore, it is not possible anymore to run tools like ROADrecon.
-
Execute the script.
-
Open the Browser Developer tools and authenticate normally.
-
After clicking on "Continue" you should see an error message in the Browser console:
- Click on the URL in the Browser console (ms-appx-web://...) this will open the URL in a new tab. Copy the content of the code parameter into the script window. This will get you an access and refresh token (stored in $token):
The refresh token can, for example, be used to obtain an access token for Azure AD Graph.
If you don’t want to hassle with copying things manually, you can simplify the process by using EntraTokenAid (https://github.com/zh54321/EntraTokenAid.git):
# Clone and import the tool
git clone https://github.com/zh54321/EntraTokenAid.git
cd EntraTokenAid
Import-mdoule EntraTokenAid.psm1
# Start the interactive authentication
$tokens = Invoke-Auth -ClientID '9ba1a5c7-f17a-4de9-a1f1-6178c8d51223' -RedirectUrl 'urn:ietf:wg:oauth:2.0:oob'
- For the write-up: TokenSmith – Bypassing Intune Compliant Device Conditional Access by JUMPSEC
- For discovery and sharing:
- TEMP43487580 (@TEMP43487580)
- Dirk-jan, (@_dirkjan)