[Tutorial] [Root] How to configure 'Microsoft Intune' to make it work with 'Magisk'

[GoodSoul]

This question was asked many times and often all the answers did not work:
How do I get Magisk to work with Microsoft Apps like Microsoft Teams, Microsoft Outlook etc (protected by Microsoft Intune)?

With Magisk 24.1 it is finally possible to bypass the protection of Microsoft Intune. Here are the instructions on how to proceed. The solution requires root!
- First of all you need the latest Magisk version (24.1 or higher).
- After installation select:
- Settings -> Hide the Magisk app : Select a new name of your choice (I use 'MM' for 'Magisk Manager')
- After Magisk has been hidden open 'Settings' and enable 'Zygisk (Beta)'
- Select 'Enfore DenyList'
- Select 'Configure DenyList'
- Use the magnifying glass and search for "Microsoft". You will find "Company Portal" (also known as Microsoft Intune). Important: Expand the view by clicking on the entry. You will see something like this:

- Now, with the expaned view, click the entry. It will look like this:

- Repeat these step (first expand, then clicking the button) on each other Microsoft App - e.g. Microsoft Teams, Microsoft Outlook, ...
Important: If you do not expand the view it will not work!

Now, to make sure that this solution is really working ....
- Install YASNAC - Yet Another SafetyNet Attestation Checker from the Google Play Store.
- Run the SafetyNet Attestation on YASNAC
When it fails is shows something like this:

- To fix the Basic integrity you need to install the latest Universal SafetyNet Fix from Github.
- Download the ZIP and install it as a module in Magisk (24.1 or higher).
- Reboot again and restart the YASNAC - Yet Another SafetyNet Attestation Checker. It should now pass (at least) the Basic integration.

Now your Microsoft Apps should work.

If this is not the case you might also need to fix your CTS profile match. You can resolve this by doing the following steps:
- Download and install the latest release of MagiskHide Props Config from Github in Magisk as a Module.
- Restart your Phone!
- Launch a Terminal of your choice (e.g. Termux, Android Terminal Emulator, ...).
- Type 'su' (enter) and agree to the root dialog.
- Now type 'props' (enter) ...
... select '1' for Edit device fingerprints
... select 'f' for Pick a certified fingerprint
... select a vendor of your phone (e.g. Xiaomi, Poco, Google, Samsung, Oneplus ...)
... select your phone (if available) or a phone which is next to your phone with your installed Android version (for example 9,10,11).
- After selecting the fingerprint for your device, and when the program ends, reboot your device

After reboot another check of YASNAC - Yet Another SafetyNet Attestation Checker should the look like this:

Important:
Once YASNAC shows Pass on Basic integrity and CTS profile match you can use any Banking App (e.g. Google Pay, N26, DKB, Sparkasse, Revolut, bunq, <whatever>) by repeating the inital steps for each of these Apps and it should not detect root. You might need to clear the data before the app stops complaining about a rooted device (example Google Pay).

If you find this tutorial helpful please leave a like for this post - thanks in advance.

BTW: @skuppej did the same steps in another post before my post with success. You can read it here.

 

[GoodSoul]

I followed the guide, but the second time I fire up YASNAC it still fails the SafteyNet fix. I tried everything, rebooted every time, no dice.

Does Basic integrity or CTS profile fail? Or both? What is your device and android version, also which fingerprint did you select?

Any luck for you to check my logcat?

Sorry, was away for some time. I checked your entries and can only see that the app is whitelistet (zygote). You did expand the view before clicking the enable button, right?

The only difference from your screenshots is that you've evaluation type HARDWARE_BACKED, I've BASIC. The rest is same. My phone is S9 with Stock Android 10 installed.

Not sure if this is the issue. I will try to find out whats the difference is.

Edit: What Android version is your S9 running?

Also interessting: https://www.xda-developers.com/how-to-pass-safetynet-android/

 

[Indru]

Does Basic integrity or CTS profile fail? Or both? What is your device and android version, also which fingerprint did you select?

Both fail. Strange thing, it seems the fingerprint does not apply. After rebooting I have the same fingerprint. So there is something wrong with the props. I have the latest version of Magisk, latest version of Magisk Props Config.

OnePlus 5T, Android 10.

Also another strange thing: Yasnac says device ID is A0001 instead of A5010 (OP 5T)

 

[GoodSoul]

Both fail. Strange thing, it seems the fingerprint does not apply. After rebooting I have the same fingerprint. So there is something wrong with the props. I have the latest version of Magisk, latest version of Magisk Props Config.

OnePlus 5T, Android 10.

Also another strange thing: Yasnac says device ID is A0001 instead of A5010 (OP 5T)

A001 is the OnePlus One. Did you catch the right ROM for your device?

 

[Indru]

A001 is the OnePlus One. Did you catch the right ROM for your device?

Hi,
Yes, I have OxygenOS 10.0.1 for OnePlus 5T (official firmware). In About phone it says OnePlus A5010, nothing is off there, just Yasnac doesn't seem to read it correctly, and if I try e.g. to assign fingerprint from a different model (like 8 Pro or something) when I reset I still have 5T fingerprint according to props.

LATER EDIT: SOLVED IT!
I have went into the props menu and reset the props settings to default. It seems there was some wrong setting somewhere. Afterwards I assigned the fingerprint and now YASNAC sees the model correctly, and if I add the Universal SafetyNet Fix it passes integrity checks.

Everything OK!

 

[persmash]

Does Basic integrity or CTS profile fail? Or both? What is your device and android version, also which fingerprint did you select?

Sorry, was away for some time. I checked your entries and can only see that the app is whitelistet (zygote). You did expand the view before clicking the enable button, right?

Not sure if this is the issue. I will try to find out whats the difference is.

Edit: What Android version is your S9 running?

Also interessting: https://www.xda-developers.com/how-to-pass-safetynet-android/

Hi,
Both are passed. See attached. Galaxy S9. Android 10.

Yes I have expanded the view before selecting.

 

[persmash]

Still no luck...

 

[A.L.P.H.A.]

I have performed all the steps, after logging into intune, it is asking me to set up a work profile, and since I am using a custom rom (syberia 5.4 for oneplus 6), it is "not encrypted" hence, I cannot set up a work profile.
Kindly help me out here.

 

[Mephisto01]

Hi @GoodSoul ,
Thank you for the prompt description!
I can now use all of the company stuff on my rooted Ulefone Power Armour 13 phone.
I saw, that this method should be good for Google Pay too.
After doing the steps I could add my card to it and I will test it soon in a shop.
Hope it will work!
And again many-many thanks to you!

 

[Mephisto01]

Hey,

I am still using Magisk 23.0 and recently also my Outlook and Teams started crying about my rooted devices. But I have a strange behavior: If I click away this message 2-3 times everything works fine ¯\_(ツ)_/¯.
Anybody else who notices this behavior?

@GoodSoul Is this meant to be work also within the Android Enterprise environment? I mean this thing which is encapsulated from the rest of the system like I would create another user.

Hi @tiga05 ,
I'm on Magisk 24.3.
I also experiensed such behaviour, because my company started useing MS Authenticator and Intune to access company data on personal phones.
Sometimes it was enough to hit one or twice the contiue when it cried about the root, and eg. the outlook started normaly, but sometimes it just closed the outlook.
After I done the steps in Goodsouls workaround, I was asked to set a PIN, and all the company stuff started working flawlessly.

 

[EpHYN5kR]

No success, both yasnak tests passing, but root is still detected when try to use a banking app or ms intune. Using a LE2123 (OnePlus 9 Pro, OOS12).

 

[mancman]

Thanks a lot, for telling about the expanded view in hide.

This saved me a lot of hassle.

Very much appreicated.

 

[traversone]

latest 5.0.5519.0 IntunePortal detects root again!

all stuff described here seem not working since yesterday

 

[Viraxe]

latest 5.0.5519.0 IntunePortal detects root again!

all stuff described here seem not working since yesterday

Indeed, same here :-(
YASNAC still passes both basic integrity and CTS profile match (evaluation type BASIC), but Intune Company Portal somehow detects a rooted device.
Running Magisk 24.1 with Zygisk, Universal SafetyNet Fix 2.2.1, Props config 6.1.2-v137, running OS 18.1 on a Samsung Galaxy S7, appearing as a S20 running Android 11 via props config...

 

[tangcla]

Thanks, Magisk Hide worked for me
I had to hide Company Portal, Intune and Teams.

 

[lugremo]

latest 5.0.5519.0 IntunePortal detects root again!

all stuff described here seem not working since yesterday

I had the same issue with the updated intune portal 5.0.5519.0
Previous version worked for me 5.0.5472.0 which i dowloaded from apkpure. Closed the automatic updates from the google play store.

But I don't know if there is a solution for the latest portal app.

 

[deep_raman]

This question was asked many times and often all the answers did not work:
How do I get Magisk to work with Microsoft Apps like Microsoft Teams, Microsoft Outlook etc (protected by Microsoft Intune)?

With Magisk 24.1 it is finally possible to bypass the protection of Microsoft Intune. Here are the instructions on how to proceed. The solution requires root!
- First of all you need the latest Magisk version (24.1 or higher).
- After installation select:
- Settings -> Hide the Magisk app : Select a new name of your choice (I use 'MM' for 'Magisk Manager')
- After Magisk has been hidden open 'Settings' and enable 'Zygisk (Beta)'
- Select 'Enfore DenyList'
- Select 'Configure DenyList'
- Use the magnifying glass and search for "Microsoft". You will find "Company Portal" (also known as Microsoft Intune). Important: Expand the view by clicking on the entry. You will see something like this:
View attachment 5536587
- Now, with the expaned view, click the entry. It will look like this:
View attachment 5536595
- Repeat these step (first expand, then clicking the button) on each other Microsoft App - e.g. Microsoft Teams, Microsoft Outlook, ...
Important: If you do not expand the view it will not work!

Now, to make sure that this solution is really working ....
- Install YASNAC - Yet Another SafetyNet Attestation Checker from the Google Play Store.
- Run the SafetyNet Attestation on YASNAC
When it fails is shows something like this:

- To fix the Basic integrity you need to install the latest Universal SafetyNet Fix from Github.
- Download the ZIP and install it as a module in Magisk (24.1 or higher).
- Reboot again and restart the YASNAC - Yet Another SafetyNet Attestation Checker. It should now pass (at least) the Basic integration.

Now your Microsoft Apps should work.

If this is not the case you might also need to fix your CTS profile match. You can resolve this by doing the following steps:
- Download and install the latest release of MagiskHide Props Config from Github in Magisk as a Module.
- Restart your Phone!
- Launch a Terminal of your choice (e.g. Termux, Android Terminal Emulator, ...).
- Type 'su' (enter) and agree to the root dialog.
- Now type 'props' (enter) ...
... select '1' for Edit device fingerprints
... select 'f' for Pick a certified fingerprint
... select a vendor of your phone (e.g. Xiaomi, Poco, Google, Samsung, Oneplus ...)
... select your phone (if available) or a phone which is next to your phone with your installed Android version (for example 9,10,11).
- After selecting the fingerprint for your device, and when the program ends, reboot your device

After reboot another check of YASNAC - Yet Another SafetyNet Attestation Checker should the look like this:

Important:
Once YASNAC shows Pass on Basic integrity and CTS profile match you can use any Banking App (e.g. Google Pay, N26, DKB, Sparkasse, Revolut, bunq, <whatever>) by repeating the inital steps for each of these Apps and it should not detect root. You might need to clear the data before the app stops complaining about a rooted device (example Google Pay).

If you find this tutorial helpful please leave a like for this post - thanks in advance.

BTW: @skuppej did the same steps in another post before my post with success. You can read it here.

This no longer works after 31st May'22. YasNac shows pass for both.

 

[deep_raman]

This no longer works after 31st May'22. YasNac shows pass for both.

 

[deep_raman]

latest 5.0.5519.0 IntunePortal detects root again!

all stuff described here seem not working since yesterday

Downgrading to intune worked for me. Thanks

 

[dohanin]

i've updated Intune to the latest version 5.0.5533 and it's still working fine. I'm using the Shamiko module (v0.5 build 100).

 

[futasay]

i've updated Intune to the latest version 5.0.5533 and it's still working fine. I'm using the Shamiko module (v0.5 build 100).

I pass the integrity check, and have tried:
- Downgrading to 5.0.5472
- Using Shamiko module to hide while on both the latest version (5.0.5533) and the downgraded version
- Hiding Magisk APK

Not sure why it is still getting triggered - it says device is in compliance, but then Company Portal spams my notifications with "rooted device detected, wiping data", and it won't generate a work profile (which I need).

Going to try manually generating a work profile with Shelter, but I don't think it will work. Does anyone have any ideas?

EDIT: I tried Shelter and it seemed to work, but the app did not generate a work profile, which is weird. The contents of the app were blank as well (no company apps, etc.).

Android version: 11
Device: Pixel 4 (flame)
eval_type: BASIC