Missing this app in your M365 tenant and need it for Conditional Access? This was a recent issue that I came across while working on a tenant to tenant migration project. The Issue? Re-enrolling fully managed (COPE) devices and the requirement to exclude the enrollment from MFA prompts. The only problem, only the Microsoft Intune app existed.

As you can see below, the Microsoft Intune app is missing from the Mobility MDM and WIP page.

As you can also see, it’s missing from the Target Resources within the Conditional Access Policies.

To resolve the issue, we need a way of recreating the app that Microsoft will recognise as the Intune enrolment app, we can’t simply create an Enterprise Application called the same name. We’ll do this by creating a new Service Principle.

First, we’re going to login to Entra ID using Powershell.

Connect-AzureAD

Lets now check if the app exists, run the get command to see if it exists.

Get-AzureADServicePrincipal -AppId d4ebce55-015a-49b5-a083-c84d1797ae8c

If it returned nothing back and simply returned back to a new command line, then we need to create the app. We’ll first clear any record of it from the tenant by removing the SP.

Remove-AzureADServicePrincipal -AppId d4ebce55-015a-49b5-a083-c84d1797ae8c

Once complete, we’re now going to recreate it. Don’t make any changes to the command.

New-AzureADServicePrincipal -AppId d4ebce55-015a-49b5-a083-c84d1797ae8c

To confirm it’s created, PS will show you the new Service Principle with the correct display name of the require Intune enrollment app.

We can now also see the app listed in the Mobility page

And, if you now select the app from the CA policy, it should be listed. You’ll need to refresh the page if you still have it open from checking previously.

And your done. Now all you have to do is save your CA policy and test the results.