Microsoft Conditional Access via Partner compliance management
Overview
Ensuring end users access organizational data from a trusted device is crucial to many security best practices. Combining Microsoft Conditional Access to validate the user, in conjunction with Addigy to secure the device, allows Apple admins to verify corporate assets are accessed securely.
Please also review Addigy Device Compliance, as it is a key part of the Conditional Access solution and determines how supported devices are calculated as compliant or non-compliant.
Addigy Conditional Access via Partner compliance management supports Mac, iPhone, and iPad. Customers who previously configured this workflow for Mac can now extend Conditional Access decisions to iPhone and iPad.
Also, see Microsoft Conditional Access using Certificates for a Conditional Access workflow that does not require Microsoft Enterprise Mobility + Security E3 or E5.
High Level Technical Overview
Using Addigy Compliance Benchmarks and Microsoft Conditional Access, only devices registered to users and marked as compliant can access data and apps protected by a configured Conditional Access policy.
The Partner compliance management integration follows the same overall flow for supported devices:
- The device performs Workplace Join so Microsoft Entra ID can identify it.
- Addigy reads the Entra Device ID and User ID.
- Addigy submits the Device ID, User ID, and Tenant ID to Microsoft through the Partner compliance management integration.
- Microsoft evaluates the compliance signal and updates the compliance state on the Entra device record.
- Microsoft Entra enforces Conditional Access on subsequent sign-ins using that compliance state.
The client-side registration flow differs by platform:
- For Mac, Company Portal is used as the Workplace Join broker.
- For iPhone and iPad, Microsoft Authenticator is used as the Workplace Join broker.
Devices registered through this workflow appear in the Microsoft Entra device list. They are not enrolled into Intune through this integration.
Before you begin
This article includes setup steps that apply to all supported devices, followed by registration and troubleshooting steps that vary by platform.
Use the Mac-specific sections when configuring Conditional Access for Mac devices. Use the iPhone and iPad sections when configuring Conditional Access for iOS and iPadOS devices.
Requirements
All supported devices
- Entra ID P1 or P2 subscription plan with Conditional Access (More information)
- Entra ID admin rights for the integration connection through the admin consent experience
- Global Admin, or another admin role permitted by your Microsoft tenant configuration
- Entra ID admin rights for the integration connection through the admin consent experience
- Microsoft Enterprise Mobility + Security E3 or E5 for users performing device registration (Find more information here)
- Entra ID user group for Device Compliance registration users
- Note: This group must contain all prospective Conditional Access registration users and current users. Users should not be removed after registration, as this can cause API post failures on device information updates during check-in or state changes. Adding users to the group does not require a manual re-sync. Sync occurs device-side when Workplace Join registration is started.
- Addigy account using Addigy MDM
- Addigy Security Suite
- Addigy Compliance configured and enabled with at least one benchmark and one rule in that benchmark
- The compliance calculation against the device record is what sends device compliance data to Microsoft once the device is registered.
- Conditional Access policy is NOT set to All Cloud Apps
- This will block the User.Read permission used by the Microsoft Partner Compliance API to verify the user during registration. This is due to the SSO Extension using MSAL to call the Microsoft Authentication Broker (Application ID: 29d9ed98-a469-4536-ade2-f981bc1d605e). Today, that application cannot be exempted from the All Cloud Apps scope in the Entra Conditional Access policy UI.
Mac requirements
- macOS 11.0 or later
- Microsoft Enterprise SSO Extension (Single Sign-On profile) deployed to Mac devices that will be registered
- Addigy Self Service deployed to the device
- Company Portal for Mac registration
- Note: The integration installs and manages its own version of Company Portal. You do not need to deploy Company Portal separately.
iPhone and iPad requirements
- iOS 16 or later, or iPadOS 16 or later
- iPhone or iPad enrolled in Addigy MDM
- Addigy Compliance configured and enabled for the device
- Self Service for iPhone and iPad deployed to the device
- Microsoft Authenticator deployed or available to the user
- Note: Deploy Microsoft Authenticator via VPP or allow users to install it themselves. Do not deploy it as a managed app that can be removed by policy. In environments using Managed Apple IDs, Authenticator must be deployed by the admin.
- Microsoft SSO Extension configured for iPhone and iPad
Technical Workflow - Single and Multi Tenant Steps
Below we discuss the technical workflow connecting Addigy and Microsoft as part of Microsoft’s partner compliance management integration, setting up the one-time Conditional Access registration workflow, and configuring Conditional Access policies that grant or deny access based on the device state sent by Addigy.
The overall workflow is shared across supported devices. The main difference is the client-side registration experience: Mac uses Company Portal as the broker, while iPhone and iPad use Microsoft Authenticator as the broker.
Enabling Partner compliance management for Addigy
The first step needed to allow for the integration connection between Addigy and Microsoft is to add Addigy as a compliance partner
- Navigate to the Microsoft Intune admin center
- Open the Tenant Administration blade (what is a blade?)
- Open the Connectors and tokens blade
- Open the Cross platform > Partner compliance management blade
- Choose Add compliance partner to start the partner wizard
- Select Addigy from the Compliance partner dropdown in the wizard
-
Select the platform you want to configure from the Platform dropdown:
- Select macOS for Mac devices
- Select iOS/iPadOS for iPhone and iPad devices
Microsoft manages partner compliance configurations by platform. To use Addigy Conditional Access for Mac, iPhone, and iPad, create the applicable partner compliance configuration for each platform.
Note: Some screenshots in this article may show macOS as the selected platform. For iPhone and iPad, select iOS/iPadOS instead.
- Click Next to advance
-
Select the desired user group that will have Workplace Join and Registration ability. If desired this can be a group you define (ex: An organization Department that dynamically updates in Entra ID, a static group of testers you manually add to a user group, or a specific user). This can also be assigned to All Users so that any member of the Entra tenant could perform the registration and have their device become compliant. If All Users is selected, you will need the Object ID for the All Users group when completing the Addigy connection steps. Contact Addigy Support if you need help obtaining this Object ID.
Note: Please take note of the group selected. You will need the Object ID of that group next.
- Click Next to advance
- Review your configuration and confirm and save the configuration via the Create button
The Microsoft Intune admin center session can now be closed as the Addigy partner connection is enabled and waiting for the Addigy side activation and first service heartbeat.
Connecting Addigy to Microsoft Intune - Single Tenant (Addigy Organization Level)
With Intune listening for service partner activation, let’s start the Addigy to Microsoft connection
-
Navigate to Account > Integrations > 3rd Party Integrations > Microsoft Intune
-
Input your Entra Tenant ID in to the Tenant ID
box. Then input the Group Object ID of the
group you selected in the prior section.
Note: Clicking Find in Azure will take you to the respective landing pages for the tenant info that holds the Tenant ID and the Groups blade so you can search. Then copy and paste the Group ID.
Optional: If you want to present users with an internal help article when they are not enrolled in Addigy and attempt to access Microsoft Conditional Access-protected content, enter that URL here.
Note: The Tenant ID can be found on the Entra portal home screen:
-
With your Entra Tenant ID and Group Object ID entered, click the
Connect button
-
In the window that opens for the Entra admin consent experience, perform
an Entra sign-in with an account with the proper admin rights to grant
domain or global consent to the partner app. After you are signed in,
click the Accept button to allow the integration.
After consent is accepted, the Addigy Compliance enterprise
application is created in Entra. This app has the Application ID of
6bbb2957-99e2-4457-9269-0da766ba04e9.
-
The integration will now process and connect the needed services. Once
that process is complete, the UI will show the following green signifiers
that the integration connection was successful. Additionally, the
Microsoft Intune admin center > Tenant Administration >
Connectors and tokens > Cross platform > Partner compliance management
will show the Addigy partner listed and with a successful heartbeat as
shown in the following example.
The connection is now set up. Supported devices can register once the required platform-specific configuration is deployed.
- For Mac, deploy the Microsoft Enterprise SSO Extension configuration and Addigy Self Service. Company Portal is installed automatically by the integration and does not need to be deployed separately.
- For iPhone and iPad, deploy Self Service for iPhone and iPad, Microsoft Authenticator, and the Microsoft SSO Extension configuration.
Connecting Addigy to Microsoft Intune - Multi Tenant (Addigy Policy Level)
With Intune listening for service partner activation from the Microsoft API enabled with Addigy as a partner, let’s start the Addigy to Microsoft connection
- Navigate to the desired policy for integration then Integrations & Settings > Integrated Systems (tab) > Intune
- Input your Entra Tenant ID in to the Tenant ID box. Then input the Group Object ID of the group you selected in the prior section.
Note: Clicking Find in Azure will take you to the respective landing pages for the tenant info that holds the Tenant ID and the Groups blade so you can search. Then copy and paste the Group ID.
Optional: If you want to present users with an internal help article when they are not enrolled in Addigy and attempt to access Microsoft Conditional Access-protected content, enter that URL here. - With your Entra Tenant ID and Group Object ID entered, click the Connect button
- In the window that opens for the Entra admin consent experience, perform an Entra sign-in with an account with the proper admin rights to grant domain or global consent to the partner app. After you are signed in, click the Accept button to allow the integration.
- The integration will now process and connect the needed services. Once that process is complete, the UI will show a green title bar signifying that the integration connection was successful.
Additionally, the Microsoft Intune admin center > Tenant Administration > Connectors and tokens > Cross platform > Partner compliance management will show the Addigy partner listed and with a successful heartbeat as shown in the following example.
The connection is now set up. Supported devices can register once the required platform-specific configuration is deployed.
- For Mac, deploy the Microsoft Enterprise SSO Extension configuration and Addigy Self Service. Company Portal is installed automatically by the integration and does not need to be deployed separately.
- For iPhone and iPad, deploy Self Service for iPhone and iPad, Microsoft Authenticator, and the Microsoft SSO Extension configuration.
Configuring End User Registration - Mac
The last configuration step is to enable end users to register their device so Microsoft Entra can identify the device and Addigy can send its compliance state to Microsoft.
The following steps apply to Mac registration. For Mac, Addigy Self Service is used to register the device for Microsoft Conditional Access. The Mac registration flow uses Company Portal as the Workplace Join broker and uses Mac-specific components such as the Microsoft Enterprise SSO Extension and MacManage.
iPhone and iPad registration uses Self Service for iPhone and iPad with Microsoft Authenticator as the broker. See the iPhone and iPad registration section for mobile-specific guidance.
- Navigate to your Policies
- Select the desired policy
- Click on the Self Service Tab
- Click on the desired Self Service configuration
- Edit the Self Service configuration via the Edit Configuration button
- Under the Integrations section check the box to enable the Intune integrations inside of Self Service (lower left corner of Self Service app)
- Click Save and Review then confirm that change for deployment
- Device will now see the registration workflow option in Self Service after policy deployment
Configuring End User Registration - iPhone and iPad
The last configuration step needed to enable end users on iPhone and iPad is to make the registration workflow available in Self Service. This allows the device to register with Microsoft Entra so Addigy can send the device compliance state to Microsoft.
The following steps apply to iPhone and iPad registration. For iPhone and iPad, Self Service starts the registration workflow, Microsoft Authenticator is used as the Workplace Join broker, and the Microsoft SSO Extension configuration must be deployed to the device.
Before end users register an iPhone or iPad, confirm the following are in place:
- The device is enrolled in Addigy MDM.
- The device is assigned to the correct Addigy policy.
- Addigy Compliance is configured and enabled for the device.
- Self Service for iPhone and iPad is deployed to the device.
- Microsoft Authenticator is deployed or available to the user.
- The Microsoft SSO Extension configuration is deployed to the device.
- The user is included in the Entra ID group assigned to the Addigy compliance partner configuration for iOS/iPadOS.
- The Microsoft Conditional Access policy targets the intended users, apps, and device platforms.
Then enable the registration workflow in the Self Service configuration. This is configured per policy. If the integration is not enabled in the Self Service configuration, end users will not see the registration option.
- Navigate to your Policies
- Select the desired policy
- Click on the Self Service Tab
- Click on the desired Self Service configuration
- Edit the Self Service configuration via the Edit Configuration button
- Under the Integrations section check the box to enable the Intune integration inside of Self Service
- Click Save and Review then confirm that change for deployment
- The device will now see the registration workflow option in Self Service after policy deployment
After the required configuration is deployed, the user can start the Conditional Access registration workflow from Self Service on iPhone or iPad. Microsoft Authenticator handles authentication and Workplace Join. After registration succeeds, the device appears in the Microsoft Entra device list. The device is not enrolled into Intune through this workflow.
Extensible SSO - Organization and Policy Level
To reduce the number of sign-ins and support the security changes in place after May 2023, please configure the SSOe payload for Microsoft apps and browser sessions. Use the Microsoft prescribed values in the Extensible SSO Device Setting found in Addigy. Read more
The SSO Extension payload is platform-specific. A different Microsoft app hosts the extension on each platform: Company Portal on Mac, and Microsoft Authenticator on iPhone and iPad. Deploy the Mac values to Mac devices and the iPhone and iPad values to iOS and iPadOS devices.
Note: A device can only have one Extensible SSO payload. Deploying more than one SSO Extension payload to the same device will cause a conflict and SSO will fail.
Mac values
The values to add are:
-
Extension ID:
com.microsoft.CompanyPortalMac.ssoextension - Type: Redirect
-
Team ID:
UBF8T346G9 -
URLs
-
https://login.microsoftonline.com -
https://login.microsoft.com -
https://sts.windows.net -
https://login.partner.microsoftonline.cn -
https://login.chinacloudapi.cn -
https://login.microsoftonline.us -
https://login-us.microsoftonline.com
-
-
Extension Data: Microsoft
-
App Allow List
-
com.apple.Safari -
com.addigy.MacManage -
com.microsoft.CompanyPortalMac -
If Chrome is used
-
com.google.Chrome
-
-
-
App Prefix Allow List
-
com.apple. -
com.addigy. -
com.microsoft. -
If Chrome is used
-
com.google.
-
-
-
Browser SSO Interaction Enabled
-
enabled= On
-
-
App Allow List
iPhone and iPad values
The values to add are:
-
Extension ID:
com.microsoft.azureauthenticator.ssoextension - Type: Redirect
- Team ID: Not required for iPhone and iPad. Leave this field blank.
-
URLs
https://login.microsoftonline.comhttps://login.microsoft.comhttps://sts.windows.nethttps://login.partner.microsoftonline.cnhttps://login.chinacloudapi.cnhttps://login.microsoftonline.ushttps://login-us.microsoftonline.com
-
Extension Data: Microsoft
- App Allow List
com.addigy.ios.SelfService- If Chrome is used
com.google.chrome.ios
- App Prefix Allow List
com.apple.com.addigy.com.microsoft.- If Chrome is used
com.google.
- Browser SSO Interaction Enabled
-
enabled= On
-
- App Allow List
Note: On iPhone and iPad, Safari participates in SSO by default, and apps built with the Microsoft Authentication Library (including Microsoft Authenticator and most Microsoft apps) participate in SSO without being added to an allow list. The App Allow List and App Prefix Allow List keys are only needed to extend SSO to additional apps that do not use the Microsoft Authentication Library.
Note: Apple requires that Microsoft Authenticator is installed on the device for the iPhone and iPad SSO Extension to load. Users do not need to open or configure Authenticator; it only needs to be present. Deploy Microsoft Authenticator via VPP or allow users to install it themselves. Do not deploy Authenticator as a managed app that can be removed by policy, as removal of a managed app deletes its data and can reset the user's authentication state. In environments using Managed Apple IDs, users cannot install apps from the App Store, so Authenticator must be deployed by the admin.
Using Platform SSO on Mac
Platform SSO is a macOS-only feature. It is not supported on iPhone and iPad, so a fleet using Platform SSO on Mac will still use the standard SSO Extension values above for iPhone and iPad.
On Mac, Platform SSO is not a separate payload. It uses the same Extensible SSO Device Setting and the same Mac values above (Extension ID, Team ID, Type, and URLs), with additional Platform SSO settings added to that payload, and requires macOS 13 or later with Company Portal 5.2404.0 or later. See How to Configure Microsoft Platform SSO in Addigy for the full configuration.
If you enable Platform SSO for Mac devices, the Platform SSO payload replaces the standard SSO Extension payload above. Do not deploy both to the same device.
Note: Platform SSO changes how a Mac registers with Microsoft Entra. Registration is performed through the Platform SSO registration prompt using hardware-bound keys, instead of the Self Service registration workflow described in this article. If you plan to use Platform SSO together with Conditional Access via Partner compliance management, contact Addigy Support to confirm the recommended configuration for your environment.
FAQ
Does Addigy Conditional Access via Partner compliance management support iPhone and iPad?
Yes. Addigy supports Microsoft Conditional Access via Partner compliance management for Mac, iPhone, and iPad.
I already configured Addigy Conditional Access for Mac. Do I need to change anything for iPhone and iPad?
Existing Mac configurations can continue to be used for Mac devices. To support iPhone and iPad, confirm that Addigy is configured as the compliance partner for the iOS/iPadOS platform in Microsoft Intune and that the applicable users and devices are assigned to the correct Addigy and Entra ID groups.
You also need to deploy the iPhone and iPad registration requirements, including Self Service for iPhone and iPad, Microsoft Authenticator, and the Microsoft SSO Extension configuration.
Do I need a separate Microsoft partner compliance configuration for iPhone and iPad?
Microsoft partner compliance configurations are platform-specific. To use Addigy Conditional Access for Mac, iPhone, and iPad, configure Addigy for each applicable platform.
Are iPhone and iPad devices enrolled into Intune?
No. Addigy remains the MDM and compliance source for devices managed by Addigy. Microsoft uses the compliance state Addigy sends through the Partner compliance management integration for Conditional Access decisions. The device is simply registered with Entra ID and has a device record.
Where do registered devices appear in Microsoft?
Devices registered through this workflow appear in the Microsoft Entra device list (note: once data is sent via API to Intune and Intune sends that data to Entra ID to update the Registration record they will show as MDM = Intune, this is the case for all PCM API Partner Vendors). They do not appear as Intune-enrolled devices through this integration.
Is Microsoft Authenticator required for iPhone and iPad registration?
Yes. Microsoft Authenticator is used as the broker for iPhone and iPad registration.
Is Company Portal required for iPhone and iPad registration?
No. Company Portal is used as the broker for Mac registration. iPhone and iPad registration uses Microsoft Authenticator.
Is Platform SSO supported for iPhone and iPad?
No. iPhone and iPad use the Microsoft SSO Extension configuration for this workflow, but Platform SSO is not supported on iPhone and iPad.
Should I create separate Conditional Access policies for Mac, iPhone, and iPad?
This depends on how your organization wants to target access. Many organizations separate policies by platform so requirements, testing, and troubleshooting can be managed independently.
How often is data sent to Microsoft from Addigy?
Data is sent on an individual device basis after a device audit completes and there is a change in any data (EX: passcode settings, FileVault 2 Status, etc.) that causes a compliance calculation change. By default, device audits occur every 5 minutes.
After Addigy sends updated compliance data, Microsoft Entra typically updates the device record in 60-90 seconds.
There is also a service heartbeat from the partner service principal. If the API connection heartbeat is lost for 30 days, devices are assumed non-compliant. The heartbeat timestamp can be viewed in the Microsoft Intune admin center under Tenant Administration > Connectors and tokens > Cross platform > Partner compliance management.
Troubleshooting - API Connection Issues
API connections provisioned before the June 2026 release of the revised API Service Principal provisioning workflow may encounter connection errors for backend communication from Addigy to the Microsoft Partner Compliance API.
Example error:
AADSTS700082: The refresh token has expired due to inactivity. The token was issued on <time stamp> and was inactive for <duration in days>. The current token being used for this connection has expired. Try reauthenticating or creating a new connection.
If your connection shows this behavior, disconnect and reconnect your Service Principal Application. This moves the connection from older delegated access to application-based access.
Steps to reconnect with new Service Principal provisioning
Required before you proceed: Ensure that you have access to an Entra ID account with Global Admin, or another permitted admin role, so you can re-establish the API connection. If you do not have access to that account, do not proceed because disconnecting the connector will sever the connection until an appropriate Entra account can reconnect it.
- Navigate to your Intune 3rd party connection in Addigy:
Policy Level: Policy > Integrations & Settings > Integrated Systems > Intune
Organization Level: Account > 3rd Party Integrations > Microsoft Intune -
Disconnect the connector:
You will receive an alert that this may impact Entra Registered devices. This could impact devices if a connection is not re-established before the next data send is required for new device registrations, or for devices that recently remediated from a non-compliant state. If the API connection is immediately re-established within the next few minutes, this gap should not force devices into a non-compliant state, but they may momentarily be seen as not registered.
- Wait 60 seconds
- With the same Tenant ID and Group ID saved in your session from your previous connection, select Connect to re-establish and re-prompt for the Service Principal API connection:
- Accept the Admin Consent to establish this connection:
- If you get the error:
"{"message": "There was an error enrolling your organization."}"
Wait 60 seconds and then retry. The API service may still be awaiting a reply from Microsoft, and a retry after that timeout will work.
Your policy or organization will now be connected with application permissions
Troubleshooting - General
Devices that have been registered do not show in Intune
This is expected. The Partner compliance management integration is configured in Microsoft Intune, but device records are Microsoft Entra registered only. They are not Intune-enrolled through this workflow. Review the device record in Microsoft Entra.
Error after entering Tenant ID and attempting admin consent
After inputting your Tenant ID and attempting to connect, you get an error on the redirect and admin consent sign-in:
This can happen if Addigy was not added as a compliance partner in Microsoft Intune before attempting the Addigy connection. Confirm that Partner compliance management was enabled for Addigy, then retry the connection.
If Addigy was recently added as a compliance partner, wait briefly and try the connection again. Microsoft may need time to complete the accepted partner registration.
Device or user cannot register because the device is marked non-compliant
This is expected when the Conditional Access policy is scoped to All Cloud Apps (a chicken and egg problem). During registration, Microsoft needs to allow the User.Read call used to verify the user. If the policy applies to All Cloud Apps, that call is blocked before the device can register and become compliant.
Best practice is to target the specific enterprise apps that should require compliant device access instead of using All Cloud Apps.
Troubleshooting - Mac
Use this section for Mac-specific Conditional Access troubleshooting.
Review Mac registration logs
Looking for more information about the Mac device registration process? Use the macOS Unified System Logs output to see what is taking place for MacManage at registration:
sudo log stream --level=debug --predicate 'subsystem contains "com.addigy"'
Company Portal is being reinstalled or moved on a Mac
For Mac registration, the Conditional Access integration uses Company Portal during registration. Addigy deploys and manages the version used for this workflow. If Company Portal is also deployed separately by policy, this may cause conflicts or repeated movement/reinstallation.
You do not need to deploy Company Portal separately for Mac Conditional Access registration unless otherwise directed by Addigy Support.
Microsoft Enterprise SSO Extension fails to perform Workplace Join
The Apple SSO Extension framework and the Microsoft Enterprise SSO Extension require certain Microsoft domains to be exempted from TLS interception or inspection, also known as break-and-inspect proxying.
Review Microsoft’s SSO Extension troubleshooting guidance and ensure the required domains are exempted.
Mac re-registration after a failed or partial registration
Microsoft has moved the Workplace Join private key for Mac registration into the Secure Enclave. Because of this change, older troubleshooting steps that attempt to clear Workplace Join items from login.keychain may not fully reset the device registration state.
If a Mac needs to be reset for Conditional Access registration, remove the device record from Microsoft Entra and clear the local registration state before attempting registration again. The device record must be removed manually in Entra ID, as there is no API endpoint provided by Microsoft to request device deletion. Contact Addigy Support if the device remains unable to register.
On older Company Portal builds, the local registration state was stored in the login.keychain and could be cleared by removing these items in Keychain Access.app:
- Kind = Application Password
- com.microsoft.workplacejoin.cloudEnvironment
- com.microsoft.workplacejoin.registeredUserPrincipalName
- com.microsoft.workplacejoin.thumbprint
- Kind = Identity Preference
- https://device.login.microsoftonline.com (UBF8T346G9.com.microsoft.CompanyPortalMac)
- Kind = Certificate
- Issued by = MS-Organization-Access
- CN = Entra Device ID
- Issued by = MS-Organization-Access
Note: Older Workplace Join cleanup scripts may not fully reset registration on current Company Portal builds, and can only clean up one MS-Organization-Access certificate at a time. Use them only if directed by Addigy Support.
Troubleshooting - iPhone and iPad
Use this section for iPhone and iPad-specific Conditional Access troubleshooting.
iPhone or iPad cannot complete registration
Confirm that the device has the required configuration deployed:
- The device is enrolled in Addigy MDM.
- The device is assigned to an Addigy policy with Compliance enabled.
- Self Service for iPhone and iPad is deployed to the device.
- Microsoft Authenticator is installed or available.
- The Microsoft SSO Extension configuration is deployed to the device.
- The user is assigned to the Entra ID group selected for the Addigy iOS/iPadOS partner compliance configuration.
- The Conditional Access policy targets iOS/iPadOS and does not unintentionally block the registration flow.
Microsoft Authenticator is not installed
Microsoft Authenticator is required for iPhone and iPad registration. If Microsoft Authenticator is not installed, the user may be prompted to install it before registration can continue.
In environments using Managed Apple IDs, users cannot install apps from the App Store. Microsoft Authenticator must be deployed by the admin.
iPhone or iPad compliance state is not updating in Microsoft Entra
Confirm that the device has completed an Addigy audit and has an assigned compliance benchmark and rule. Also confirm that the Addigy to Microsoft Intune integration shows a successful connection and heartbeat.
After Addigy sends updated compliance data, allow time for Microsoft Entra to receive and process the updated compliance state.
iPhone or iPad does not appear in Intune
This is expected. Devices registered through this workflow appear in the Microsoft Entra device list. They do not appear as Intune-enrolled devices through this integration.