Missing Microsoft Intune Enrollment App in Microsoft Entra ID
Published on 07 May 2025
Clap
Can’t find the Microsoft Intune Enrollment application in your Microsoft 365 tenant and need it for a Conditional Access policy? This issue can complicate access management or excluding MFA prompts. The good news: the solution is in this article.
Microsoft Intune Enrollement missing
As stated in Microsoft documentation - Require multifactor authentication for Intune device enrollments, the application Microsoft Intune Enrollement is not automatically created for new tenants.
Microsoft Intune Enrollment is missing from the Mobility (MDM and WIP) section in the Microsoft 365 interface - https://entra.microsoft.com/#view/Microsoft_AAD_IAM/MdmList.ReactView
But it's also missing from the list of applications that can be selected in Conditional Access policies.
Manually create the Microsoft Intune Enrollment application
To create the application, use Microsoft Graph with an account that has permission to create a Service Principal in Entra ID, such as a user with the Global Administrator role.
This script requires the PowerShell module Microsoft.Graph.Authentication.
# Connecting with the required permissions
Connect-MgGraph -Scopes 'Application.ReadWrite.All'
$intuneEnrollmentAppUri = "https://graph.microsoft.com/v1.0/servicePrincipals?`$filter=appId eq 'd4ebce55-015a-49b5-a083-c84d1797ae8c'"
$intuneEnrollmentAppExists = [bool](Invoke-MgGraphRequest -Method GET -Uri $intuneEnrollmentAppUri -ContentType 'PSObject' -OutputType PSObject).value.Count -gt 0
# If not exist, we create it
if (-not $intuneEnrollmentAppExists) {
$body = @{ appId = 'd4ebce55-015a-49b5-a083-c84d1797ae8c' } | ConvertTo-Json
$null = Invoke-MgGraphRequest -Method POST -Uri 'https://graph.microsoft.com/v1.0/servicePrincipals' -Body $body -ContentType 'application/json'
Write-Host -ForegroundColor Green 'Microsoft Intune Enrollment created'
}
else {
Write-Host -ForegroundColor Green 'Microsoft Intune Enrollment already exists'
}Invoke-MgGraphRequest because it only requires the Microsoft.Graph.Authentication module. Commands like New-MgServicePrincipal / Get-MgServicePrincipal can work, but the modules they depend on often have compatibility issues or bugs, which is why using Invoke-MgGraphRequest as much as possible is preferable.After this action, Microsoft Intune Enrollment becomes available in the Mobility (MDM and WIP) section.
And also in the Conditional Access application list.
Clap
Comments