Microsoft 365 Alert – Service Degradation – Microsoft Intune – Some users can’t access their Microsoft 365 apps or resources and are blocked by a conditional access policy – RESOLVED

03/09/2025 08:30:00 AM

NHSmail Reference: INC46619234

Microsoft Reference: IT1146574

Issue Status: RESOLVED

Issue Description: Some users can’t access their Microsoft 365 apps or resources and are blocked by a conditional access policy.

More info: Impact occurs only when some users attempt to access any Microsoft 365 app or resource that’s protected by a conditional access policy that requires a specific version of BitLocker drive encryption other than the default.

Admins notice that when enrolling the devices in Microsoft Intune, the BitLocker drive encryption defaults to XTS-AES 128-bit, despite being configured to XTS-AES 256-bit in Intune. Admins have configured a conditional access policy which requires the XTS-AES 256-bit build. This prevents the devices from being compliant with the conditional access policy and causes the users to be blocked

Final Update: 04/09/2025 08:35:00 AM – Microsoft have validated with their service telemetry and through internal testing that their previously mentioned action of disabling the problematic change has remediated the impact. In addition, they’ve verified with some affected users that they’re able to successfully re-enroll devices using Autopilot and completed provisioning.

Scope of impact: Your organization is affected by this event, and some users attempting to access their Microsoft 365 apps or resources that are protected by a conditional access policy as outlined in the “More Info” section.

Next steps: Microsoft are performing an in-depth root cause analysis to pinpoint how the problematic feature caused the inaccessibility of Microsoft 365 apps or resources and why it wasn’t detected prior to deployment so that we can proactively identify similar issues in the future.