Information – Intune – Conditional access policy preventing some users from accessing Microsoft 365 services

03/09/2025 12:00:00 PM

Message: Some users are unable to access Microsoft 365 applications or resources due to a conditional access policy requirement. This issue occurs specifically when users try to access content protected by a policy that mandates a specific BitLocker encryption configuration. The devices, during enrollment via Microsoft Intune, are defaulting to XTS-AES 128-bit encryption, whereas the policy enforces XTS-AES 256-bit encryption. As a result, these devices are marked non-compliant, and access is denied to affected users.

Current Status: Microsoft continues to analyze trace logs and investigate recent changes, though the process is taking longer than expected. In parallel, Microsoft has completed the development and testing of a PowerShell script designed to help restore access and now validating the effectiveness of this script as a temporary fix for affected users.

User Impact: Some users are currently blocked from accessing Microsoft 365 apps and resources due to enforced conditional access policies.

This issue affects your organization. Only users whose devices do not meet the conditional access encryption requirement are impacted.

Root Cause: The issue stems from a mismatch between the BitLocker encryption method applied during device enrollment and the one required by a conditional access policy. Although Intune is configured to apply XTS-AES 256-bit encryption, devices are instead defaulting to XTS-AES 128-bit. This misalignment causes the devices to fail compliance checks, thereby blocking user access to protected Microsoft 365 resources.