Share tips from the IT field
Microsoft training
Photo by Alexander Lam / Unsplash
Missing Microsoft Intune Enrollment App in Microsoft Entra ID

Missing Microsoft Intune Enrollment App in Microsoft Entra ID

Published on 07 May 2025
Bastien Perez
Bastien Perez

Clap

Can’t find the Microsoft Intune Enrollment application in your Microsoft 365 tenant and need it for a Conditional Access policy? This issue can complicate access management or excluding MFA prompts. The good news: the solution is in this article.

Microsoft Intune Enrollement missing

As stated in Microsoft documentation - Require multifactor authentication for Intune device enrollments, the application Microsoft Intune Enrollement is not automatically created for new tenants.

It's important to note that you may be affected even if your tenant is several years old. I haven't been able to find the date when Microsoft stopped automatically creating this application, but I've seen this happen a lot over the last 5 years.

Microsoft Intune Enrollment is missing from the Mobility (MDM and WIP) section in the Microsoft 365 interface - https://entra.microsoft.com/#view/Microsoft_AAD_IAM/MdmList.ReactView

But it's also missing from the list of applications that can be selected in Conditional Access policies.

Manually create the Microsoft Intune Enrollment application

To create the application, use Microsoft Graph with an account that has permission to create a Service Principal in Entra ID, such as a user with the Global Administrator role.

This script requires the PowerShell module Microsoft.Graph.Authentication.

# Connecting with the required permissions
Connect-MgGraph -Scopes 'Application.ReadWrite.All'

$intuneEnrollmentAppUri = "https://graph.microsoft.com/v1.0/servicePrincipals?`$filter=appId eq 'd4ebce55-015a-49b5-a083-c84d1797ae8c'"
$intuneEnrollmentAppExists = [bool](Invoke-MgGraphRequest -Method GET -Uri $intuneEnrollmentAppUri -ContentType 'PSObject' -OutputType PSObject).value.Count -gt 0

# If not exist, we create it
if (-not $intuneEnrollmentAppExists) {

    $body = @{ appId = 'd4ebce55-015a-49b5-a083-c84d1797ae8c' } | ConvertTo-Json   

    $null = Invoke-MgGraphRequest -Method POST -Uri 'https://graph.microsoft.com/v1.0/servicePrincipals' -Body $body -ContentType 'application/json'
    Write-Host -ForegroundColor Green 'Microsoft Intune Enrollment created'
}
else {
    Write-Host -ForegroundColor Green 'Microsoft Intune Enrollment already exists'
}
💡
I use Invoke-MgGraphRequest because it only requires the Microsoft.Graph.Authentication module.
Commands like New-MgServicePrincipal / Get-MgServicePrincipal can work, but the modules they depend on often have compatibility issues or bugs, which is why using Invoke-MgGraphRequest as much as possible is preferable.

After this action, Microsoft Intune Enrollment becomes available in the Mobility (MDM and WIP) section.

And also in the Conditional Access application list.

Microsoft 365

Comments

banner-Bastien Perez
Bastien Perez

Bastien Perez

Freelance Microsoft 365 - Active Directory - Modern Workplace

France