[Tutorial] [Root] How to configure 'Microsoft Intune' to make it work with 'Magisk'

Search This thread

GoodSoul

Senior Member
Oct 10, 2010
281
334
▂ ▃ ▅ ▆ █
www.google.com
This question was asked many times and often all the answers did not work:
How do I get Magisk to work with Microsoft Apps like Microsoft Teams, Microsoft Outlook etc (protected by Microsoft Intune)?

With Magisk 24.1 it is finally possible to bypass the protection of Microsoft Intune. Here are the instructions on how to proceed. The solution requires root!
- First of all you need the latest Magisk version (24.1 or higher).
- After installation select:
- Settings -> Hide the Magisk app : Select a new name of your choice (I use 'MM' for 'Magisk Manager')
- After Magisk has been hidden open 'Settings' and enable 'Zygisk (Beta)'
- Select 'Enfore DenyList'
- Select 'Configure DenyList'
- Use the magnifying glass and search for "Microsoft". You will find "Company Portal" (also known as Microsoft Intune). Important: Expand the view by clicking on the entry. You will see something like this:
before.png

- Now, with the expaned view, click the entry. It will look like this:
after.png

- Repeat these step (first expand, then clicking the button) on each other Microsoft App - e.g. Microsoft Teams, Microsoft Outlook, ...
Important: If you do not expand the view it will not work!

Now, to make sure that this solution is really working ....
- Install YASNAC - Yet Another SafetyNet Attestation Checker from the Google Play Store.
- Run the SafetyNet Attestation on YASNAC
When it fails is shows something like this:
S-XC-3lnvkR7nblwC2dDZh0uv_Lk2AskoGUgmAS7Ccta5Txk5vC6RSkVbQ3zGXKwCpo=s0

- To fix the Basic integrity you need to install the latest Universal SafetyNet Fix from Github.
- Download the ZIP and install it as a module in Magisk (24.1 or higher).
- Reboot again and restart the YASNAC - Yet Another SafetyNet Attestation Checker. It should now pass (at least) the Basic integration.

Now your Microsoft Apps should work. :cool:

If this is not the case you might also need to fix your CTS profile match. You can resolve this by doing the following steps:
- Download and install the latest release of MagiskHide Props Config from Github in Magisk as a Module.
- Restart your Phone!
- Launch a Terminal of your choice (e.g. Termux, Android Terminal Emulator, ...).
- Type 'su' (enter) and agree to the root dialog.
- Now type 'props' (enter) ...
... select '1' for Edit device fingerprints
... select 'f' for Pick a certified fingerprint
... select a vendor of your phone (e.g. Xiaomi, Poco, Google, Samsung, Oneplus ...)
... select your phone (if available) or a phone which is next to your phone with your installed Android version (for example 9,10,11).
- After selecting the fingerprint for your device, and when the program ends, reboot your device

After reboot another check of YASNAC - Yet Another SafetyNet Attestation Checker should the look like this:
ufTYzRDcL2yWF46hikmY4FirIxP4ZsDENWO3Tokb9pEIEDAV7iS4xh6De9wfk4fWzA=w1837-h977-rw


Important:
Once YASNAC shows Pass on Basic integrity and CTS profile match you can use any Banking App (e.g. Google Pay, N26, DKB, Sparkasse, Revolut, bunq, <whatever>) by repeating the inital steps for each of these Apps and it should not detect root. You might need to clear the data before the app stops complaining about a rooted device (example Google Pay).

If you find this tutorial helpful please leave a like for this post - thanks in advance.

BTW: @skuppej did the same steps in another post before my post with success. You can read it here.
 
Last edited:

GoodSoul

Senior Member
Oct 10, 2010
281
334
▂ ▃ ▅ ▆ █
www.google.com
I followed the guide, but the second time I fire up YASNAC it still fails the SafteyNet fix. I tried everything, rebooted every time, no dice.
Does Basic integrity or CTS profile fail? Or both? What is your device and android version, also which fingerprint did you select?
Any luck for you to check my logcat?
Sorry, was away for some time. I checked your entries and can only see that the app is whitelistet (zygote). You did expand the view before clicking the enable button, right?
The only difference from your screenshots is that you've evaluation type HARDWARE_BACKED, I've BASIC. The rest is same. My phone is S9 with Stock Android 10 installed.
Not sure if this is the issue. I will try to find out whats the difference is.

Edit: What Android version is your S9 running?

Also interessting: https://www.xda-developers.com/how-to-pass-safetynet-android/
 

Indru

Member
Oct 27, 2012
36
3
Does Basic integrity or CTS profile fail? Or both? What is your device and android version, also which fingerprint did you select?
Both fail. Strange thing, it seems the fingerprint does not apply. After rebooting I have the same fingerprint. So there is something wrong with the props. I have the latest version of Magisk, latest version of Magisk Props Config.

OnePlus 5T, Android 10.

Also another strange thing: Yasnac says device ID is A0001 instead of A5010 (OP 5T)
 

GoodSoul

Senior Member
Oct 10, 2010
281
334
▂ ▃ ▅ ▆ █
www.google.com
Both fail. Strange thing, it seems the fingerprint does not apply. After rebooting I have the same fingerprint. So there is something wrong with the props. I have the latest version of Magisk, latest version of Magisk Props Config.

OnePlus 5T, Android 10.

Also another strange thing: Yasnac says device ID is A0001 instead of A5010 (OP 5T)
A001 is the OnePlus One. Did you catch the right ROM for your device? :)
 

Indru

Member
Oct 27, 2012
36
3
A001 is the OnePlus One. Did you catch the right ROM for your device? :)
Hi,
Yes, I have OxygenOS 10.0.1 for OnePlus 5T (official firmware). In About phone it says OnePlus A5010, nothing is off there, just Yasnac doesn't seem to read it correctly, and if I try e.g. to assign fingerprint from a different model (like 8 Pro or something) when I reset I still have 5T fingerprint according to props.

LATER EDIT: SOLVED IT!
I have went into the props menu and reset the props settings to default. It seems there was some wrong setting somewhere. Afterwards I assigned the fingerprint and now YASNAC sees the model correctly, and if I add the Universal SafetyNet Fix it passes integrity checks.

Everything OK! :)
 
Last edited:
  • Like
Reactions: GoodSoul

persmash

Senior Member
Jun 21, 2011
117
13
Does Basic integrity or CTS profile fail? Or both? What is your device and android version, also which fingerprint did you select?

Sorry, was away for some time. I checked your entries and can only see that the app is whitelistet (zygote). You did expand the view before clicking the enable button, right?

Not sure if this is the issue. I will try to find out whats the difference is.

Edit: What Android version is your S9 running?

Also interessting: https://www.xda-developers.com/how-to-pass-safetynet-android/
Hi,
Both are passed. See attached. Galaxy S9. Android 10.

Yes I have expanded the view before selecting.
 

Attachments

  • Screenshot_20220325-234117_YASNAC.png
    Screenshot_20220325-234117_YASNAC.png
    129.2 KB · Views: 35

A.L.P.H.A.

Member
Apr 19, 2022
7
0
I have performed all the steps, after logging into intune, it is asking me to set up a work profile, and since I am using a custom rom (syberia 5.4 for oneplus 6), it is "not encrypted" hence, I cannot set up a work profile.
Kindly help me out here.
 

Mephisto01

Member
Apr 11, 2014
5
1
Szigethalom
LG V20
Hi @GoodSoul ,
Thank you for the prompt description!
I can now use all of the company stuff on my rooted Ulefone Power Armour 13 phone.
I saw, that this method should be good for Google Pay too.
After doing the steps I could add my card to it and I will test it soon in a shop.
Hope it will work!
And again many-many thanks to you!
 
  • Like
Reactions: GoodSoul

Mephisto01

Member
Apr 11, 2014
5
1
Szigethalom
LG V20
Hey,

I am still using Magisk 23.0 and recently also my Outlook and Teams started crying about my rooted devices. But I have a strange behavior: If I click away this message 2-3 times everything works fine ¯\_(ツ)_/¯.
Anybody else who notices this behavior?

@GoodSoul Is this meant to be work also within the Android Enterprise environment? I mean this thing which is encapsulated from the rest of the system like I would create another user.
Hi @tiga05 ,
I'm on Magisk 24.3.
I also experiensed such behaviour, because my company started useing MS Authenticator and Intune to access company data on personal phones.
Sometimes it was enough to hit one or twice the contiue when it cried about the root, and eg. the outlook started normaly, but sometimes it just closed the outlook.
After I done the steps in Goodsouls workaround, I was asked to set a PIN, and all the company stuff started working flawlessly.
 

Viraxe

New member
May 24, 2022
1
1
latest 5.0.5519.0 IntunePortal detects root again!

all stuff described here seem not working since yesterday
Indeed, same here :-(
YASNAC still passes both basic integrity and CTS profile match (evaluation type BASIC), but Intune Company Portal somehow detects a rooted device.
Running Magisk 24.1 with Zygisk, Universal SafetyNet Fix 2.2.1, Props config 6.1.2-v137, running OS 18.1 on a Samsung Galaxy S7, appearing as a S20 running Android 11 via props config...
 
  • Like
Reactions: traversone

lugremo

Member
Mar 29, 2018
11
4
latest 5.0.5519.0 IntunePortal detects root again!

all stuff described here seem not working since yesterday
I had the same issue with the updated intune portal 5.0.5519.0
Previous version worked for me 5.0.5472.0 which i dowloaded from apkpure. Closed the automatic updates from the google play store.

But I don't know if there is a solution for the latest portal app.
 

deep_raman

Member
Feb 3, 2015
25
3
Gurgaon
This question was asked many times and often all the answers did not work:
How do I get Magisk to work with Microsoft Apps like Microsoft Teams, Microsoft Outlook etc (protected by Microsoft Intune)?

With Magisk 24.1 it is finally possible to bypass the protection of Microsoft Intune. Here are the instructions on how to proceed. The solution requires root!
- First of all you need the latest Magisk version (24.1 or higher).
- After installation select:
- Settings -> Hide the Magisk app : Select a new name of your choice (I use 'MM' for 'Magisk Manager')
- After Magisk has been hidden open 'Settings' and enable 'Zygisk (Beta)'
- Select 'Enfore DenyList'
- Select 'Configure DenyList'
- Use the magnifying glass and search for "Microsoft". You will find "Company Portal" (also known as Microsoft Intune). Important: Expand the view by clicking on the entry. You will see something like this:
View attachment 5536587
- Now, with the expaned view, click the entry. It will look like this:
View attachment 5536595
- Repeat these step (first expand, then clicking the button) on each other Microsoft App - e.g. Microsoft Teams, Microsoft Outlook, ...
Important: If you do not expand the view it will not work!

Now, to make sure that this solution is really working ....
- Install YASNAC - Yet Another SafetyNet Attestation Checker from the Google Play Store.
- Run the SafetyNet Attestation on YASNAC
When it fails is shows something like this:
S-XC-3lnvkR7nblwC2dDZh0uv_Lk2AskoGUgmAS7Ccta5Txk5vC6RSkVbQ3zGXKwCpo=s0

- To fix the Basic integrity you need to install the latest Universal SafetyNet Fix from Github.
- Download the ZIP and install it as a module in Magisk (24.1 or higher).
- Reboot again and restart the YASNAC - Yet Another SafetyNet Attestation Checker. It should now pass (at least) the Basic integration.

Now your Microsoft Apps should work. :cool:

If this is not the case you might also need to fix your CTS profile match. You can resolve this by doing the following steps:
- Download and install the latest release of MagiskHide Props Config from Github in Magisk as a Module.
- Restart your Phone!
- Launch a Terminal of your choice (e.g. Termux, Android Terminal Emulator, ...).
- Type 'su' (enter) and agree to the root dialog.
- Now type 'props' (enter) ...
... select '1' for Edit device fingerprints
... select 'f' for Pick a certified fingerprint
... select a vendor of your phone (e.g. Xiaomi, Poco, Google, Samsung, Oneplus ...)
... select your phone (if available) or a phone which is next to your phone with your installed Android version (for example 9,10,11).
- After selecting the fingerprint for your device, and when the program ends, reboot your device

After reboot another check of YASNAC - Yet Another SafetyNet Attestation Checker should the look like this:
ufTYzRDcL2yWF46hikmY4FirIxP4ZsDENWO3Tokb9pEIEDAV7iS4xh6De9wfk4fWzA=w1837-h977-rw


Important:
Once YASNAC shows Pass on Basic integrity and CTS profile match you can use any Banking App (e.g. Google Pay, N26, DKB, Sparkasse, Revolut, bunq, <whatever>) by repeating the inital steps for each of these Apps and it should not detect root. You might need to clear the data before the app stops complaining about a rooted device (example Google Pay).

If you find this tutorial helpful please leave a like for this post - thanks in advance.

BTW: @skuppej did the same steps in another post before my post with success. You can read it here.
This no longer works after 31st May'22. YasNac shows pass for both.
 

futasay

New member
Jun 3, 2010
3
0
i've updated Intune to the latest version 5.0.5533 and it's still working fine. I'm using the Shamiko module (v0.5 build 100).
I pass the integrity check, and have tried:
- Downgrading to 5.0.5472
- Using Shamiko module to hide while on both the latest version (5.0.5533) and the downgraded version
- Hiding Magisk APK

Not sure why it is still getting triggered - it says device is in compliance, but then Company Portal spams my notifications with "rooted device detected, wiping data", and it won't generate a work profile (which I need).

Going to try manually generating a work profile with Shelter, but I don't think it will work. Does anyone have any ideas?

EDIT: I tried Shelter and it seemed to work, but the app did not generate a work profile, which is weird. The contents of the app were blank as well (no company apps, etc.).

Android version: 11
Device: Pixel 4 (flame)
eval_type: BASIC
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Which version of Magisk and Shamiko do you use? For me, it has been working fine since Magisk 24.3 and Shamiko 0.4.4. (now I'm using Shamiko 0.5.0)

    You may as well try the following:
    - reinstall the shamiko module
    - clear all data of Intune Company Portal, kill it, and reboot
    - make sure you check all the boxes of Intune in denylist but do not Enforce Denylist
    - make sure you can see "Shamiko is working as blacklist mode", reboot
    - try root detection tools and make sure they cannot detect root/magisk/zygisk, e.g. Momo, Oprek Detector, rootbeer sample

    Also, for me I always freeze the magisk app too because some bank apps can simply detect it if not frozen even if it's repackaged in another name. You may try this as well before using Intune.
    Hello all,
    I had the issue as well before and the latest magisk canary fixed it ...

    Before that intune was failing on "device is clean", since today's update (or yesterday's).

    Let me know if it fixed it for you as well :)
  • 10
    This question was asked many times and often all the answers did not work:
    How do I get Magisk to work with Microsoft Apps like Microsoft Teams, Microsoft Outlook etc (protected by Microsoft Intune)?

    With Magisk 24.1 it is finally possible to bypass the protection of Microsoft Intune. Here are the instructions on how to proceed. The solution requires root!
    - First of all you need the latest Magisk version (24.1 or higher).
    - After installation select:
    - Settings -> Hide the Magisk app : Select a new name of your choice (I use 'MM' for 'Magisk Manager')
    - After Magisk has been hidden open 'Settings' and enable 'Zygisk (Beta)'
    - Select 'Enfore DenyList'
    - Select 'Configure DenyList'
    - Use the magnifying glass and search for "Microsoft". You will find "Company Portal" (also known as Microsoft Intune). Important: Expand the view by clicking on the entry. You will see something like this:
    before.png

    - Now, with the expaned view, click the entry. It will look like this:
    after.png

    - Repeat these step (first expand, then clicking the button) on each other Microsoft App - e.g. Microsoft Teams, Microsoft Outlook, ...
    Important: If you do not expand the view it will not work!

    Now, to make sure that this solution is really working ....
    - Install YASNAC - Yet Another SafetyNet Attestation Checker from the Google Play Store.
    - Run the SafetyNet Attestation on YASNAC
    When it fails is shows something like this:
    S-XC-3lnvkR7nblwC2dDZh0uv_Lk2AskoGUgmAS7Ccta5Txk5vC6RSkVbQ3zGXKwCpo=s0

    - To fix the Basic integrity you need to install the latest Universal SafetyNet Fix from Github.
    - Download the ZIP and install it as a module in Magisk (24.1 or higher).
    - Reboot again and restart the YASNAC - Yet Another SafetyNet Attestation Checker. It should now pass (at least) the Basic integration.

    Now your Microsoft Apps should work. :cool:

    If this is not the case you might also need to fix your CTS profile match. You can resolve this by doing the following steps:
    - Download and install the latest release of MagiskHide Props Config from Github in Magisk as a Module.
    - Restart your Phone!
    - Launch a Terminal of your choice (e.g. Termux, Android Terminal Emulator, ...).
    - Type 'su' (enter) and agree to the root dialog.
    - Now type 'props' (enter) ...
    ... select '1' for Edit device fingerprints
    ... select 'f' for Pick a certified fingerprint
    ... select a vendor of your phone (e.g. Xiaomi, Poco, Google, Samsung, Oneplus ...)
    ... select your phone (if available) or a phone which is next to your phone with your installed Android version (for example 9,10,11).
    - After selecting the fingerprint for your device, and when the program ends, reboot your device

    After reboot another check of YASNAC - Yet Another SafetyNet Attestation Checker should the look like this:
    ufTYzRDcL2yWF46hikmY4FirIxP4ZsDENWO3Tokb9pEIEDAV7iS4xh6De9wfk4fWzA=w1837-h977-rw


    Important:
    Once YASNAC shows Pass on Basic integrity and CTS profile match you can use any Banking App (e.g. Google Pay, N26, DKB, Sparkasse, Revolut, bunq, <whatever>) by repeating the inital steps for each of these Apps and it should not detect root. You might need to clear the data before the app stops complaining about a rooted device (example Google Pay).

    If you find this tutorial helpful please leave a like for this post - thanks in advance.

    BTW: @skuppej did the same steps in another post before my post with success. You can read it here.
    1
    A001 is the OnePlus One. Did you catch the right ROM for your device? :)
    Hi,
    Yes, I have OxygenOS 10.0.1 for OnePlus 5T (official firmware). In About phone it says OnePlus A5010, nothing is off there, just Yasnac doesn't seem to read it correctly, and if I try e.g. to assign fingerprint from a different model (like 8 Pro or something) when I reset I still have 5T fingerprint according to props.

    LATER EDIT: SOLVED IT!
    I have went into the props menu and reset the props settings to default. It seems there was some wrong setting somewhere. Afterwards I assigned the fingerprint and now YASNAC sees the model correctly, and if I add the Universal SafetyNet Fix it passes integrity checks.

    Everything OK! :)
    1
    Hi @GoodSoul ,
    Thank you for the prompt description!
    I can now use all of the company stuff on my rooted Ulefone Power Armour 13 phone.
    I saw, that this method should be good for Google Pay too.
    After doing the steps I could add my card to it and I will test it soon in a shop.
    Hope it will work!
    And again many-many thanks to you!
    1
    latest 5.0.5519.0 IntunePortal detects root again!

    all stuff described here seem not working since yesterday
    1
    latest 5.0.5519.0 IntunePortal detects root again!

    all stuff described here seem not working since yesterday
    Indeed, same here :-(
    YASNAC still passes both basic integrity and CTS profile match (evaluation type BASIC), but Intune Company Portal somehow detects a rooted device.
    Running Magisk 24.1 with Zygisk, Universal SafetyNet Fix 2.2.1, Props config 6.1.2-v137, running OS 18.1 on a Samsung Galaxy S7, appearing as a S20 running Android 11 via props config...