[Tutorial] [Root] How to configure 'Microsoft Intune' to make it work with 'Magisk'

Search This thread

GoodSoul

Senior Member
Oct 10, 2010
283
338
▂ ▃ ▅ ▆ █
www.google.com
This question was asked many times and often all the answers did not work:
How do I get Magisk to work with Microsoft Apps like Microsoft Teams, Microsoft Outlook etc (protected by Microsoft Intune)?

With Magisk 24.1 it is finally possible to bypass the protection of Microsoft Intune. Here are the instructions on how to proceed. The solution requires root!
- First of all you need the latest Magisk version (24.1 or higher).
- After installation select:
- Settings -> Hide the Magisk app : Select a new name of your choice (I use 'MM' for 'Magisk Manager')
- After Magisk has been hidden open 'Settings' and enable 'Zygisk (Beta)'
- Select 'Enfore DenyList'
- Select 'Configure DenyList'
- Use the magnifying glass and search for "Microsoft". You will find "Company Portal" (also known as Microsoft Intune). Important: Expand the view by clicking on the entry. You will see something like this:
before.png

- Now, with the expaned view, click the entry. It will look like this:
after.png

- Repeat these step (first expand, then clicking the button) on each other Microsoft App - e.g. Microsoft Teams, Microsoft Outlook, ...
Important: If you do not expand the view it will not work!

Now, to make sure that this solution is really working ....
- Install YASNAC - Yet Another SafetyNet Attestation Checker from the Google Play Store.
- Run the SafetyNet Attestation on YASNAC
When it fails is shows something like this:
S-XC-3lnvkR7nblwC2dDZh0uv_Lk2AskoGUgmAS7Ccta5Txk5vC6RSkVbQ3zGXKwCpo=s0

- To fix the Basic integrity you need to install the latest Universal SafetyNet Fix from Github.
- Download the ZIP and install it as a module in Magisk (24.1 or higher).
- Reboot again and restart the YASNAC - Yet Another SafetyNet Attestation Checker. It should now pass (at least) the Basic integration.

Now your Microsoft Apps should work. :cool:

If this is not the case you might also need to fix your CTS profile match. You can resolve this by doing the following steps:
- Download and install the latest release of MagiskHide Props Config from Github in Magisk as a Module.
- Restart your Phone!
- Launch a Terminal of your choice (e.g. Termux, Android Terminal Emulator, ...).
- Type 'su' (enter) and agree to the root dialog.
- Now type 'props' (enter) ...
... select '1' for Edit device fingerprints
... select 'f' for Pick a certified fingerprint
... select a vendor of your phone (e.g. Xiaomi, Poco, Google, Samsung, Oneplus ...)
... select your phone (if available) or a phone which is next to your phone with your installed Android version (for example 9,10,11).
- After selecting the fingerprint for your device, and when the program ends, reboot your device

After reboot another check of YASNAC - Yet Another SafetyNet Attestation Checker should the look like this:
ufTYzRDcL2yWF46hikmY4FirIxP4ZsDENWO3Tokb9pEIEDAV7iS4xh6De9wfk4fWzA=w1837-h977-rw


Important:
Once YASNAC shows Pass on Basic integrity and CTS profile match you can use any Banking App (e.g. Google Pay, N26, DKB, Sparkasse, Revolut, bunq, <whatever>) by repeating the inital steps for each of these Apps and it should not detect root. You might need to clear the data before the app stops complaining about a rooted device (example Google Pay).

If you find this tutorial helpful please leave a like for this post - thanks in advance.

BTW: @skuppej did the same steps in another post before my post with success. You can read it here.
 
Last edited:

robert1968

Senior Member
Mar 23, 2011
373
107
Usage:
1. Delete/disable/reset MagiskHidePropsConfig (if installed).
2. Just install it over old Universal SafetyNet Fix and reboot device.

On *top* of all this, it seems Company Portal was detecting the zygisk process in memory. Shamiko 0.5.2 seems to block this by also hiding the zygisk process. HMA doesn't seem to be necessary so far but I'm monitoring.

Doing this my phone has been stable on Company Portal 5.0.556.0 for over 24h through reboot and overnight charge.

Many Many thanks for this explanation.
It works for me. Poco F2 Pro with Lineage OS 19
 

robert1968

Senior Member
Mar 23, 2011
373
107
I have installed Universal SafetyNet Fix MOD by Displax: https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-2-3-1.4217823/post-87198517
Then:
I have rebooted my phone,
installed Shamiko module https://github.com/LSPosed/LSPosed.github.io/releases
Rebooted again

Outlook seems to work... lets see in couple of days if it would discover my phone is rooted.
But in Magisk Modules I see:
View attachment 5671539

Thanks for the links and Pay my attention to disable enforce deny list !
works now!! :)
 

digger16309

Senior Member
Jul 17, 2014
499
201
OnePlus 5
Google Pixel 6 Pro
I upgraded to A13 on my Pixel 5. Restored apps (TEAMS and InTune) crashed and wouldn't work with old data. I have Zygisk enabled, forced deny list through Shamiko, everything checked in InTune and TEAMS, Magisk 25.2 hidden, USNF 2.3.1-mod loaded, YASNAC passes. I have a pin lock active. InTune fails when trying to take me to my company's SSO page inside the app. It comes up for a moment and then says "Missing Certificate". It directs me to grant access to the browser from the app settings but there is no setting to do that. I'm stumped. What am I missing?
 

digger16309

Senior Member
Jul 17, 2014
499
201
OnePlus 5
Google Pixel 6 Pro
I upgraded to A13 on my Pixel 5. Restored apps (TEAMS and InTune) crashed and wouldn't work with old data. I have Zygisk enabled, forced deny list through Shamiko, everything checked in InTune and TEAMS, Magisk 25.2 hidden, USNF 2.3.1-mod loaded, YASNAC passes. I have a pin lock active. InTune fails when trying to take me to my company's SSO page inside the app. It comes up for a moment and then says "Missing Certificate". It directs me to grant access to the browser from the app settings but there is no setting to do that. I'm stumped. What am I missing?
Sorry to quote myself, but to follow-up...what I was missing was that AdAway was blocking my SSO page from coming up in InTune. When I turned off AdAway, I was no longer blocked.
 

vrtsvas

Senior Member
Jul 22, 2014
64
13
Guys Hello to everyone,

I have rooted my S22 ULTRA SM-908E snapdragon and i face the same problem for
1. Microsoft Teams vs:1416/1.0.0.2022354201
2. Company Portal vs: 5.0.5606.0
3.Samsung Health vs 6.22.2.007

I HAVE FOLLOWED EXACTLY THE FOLLOWING STEPS BELOW HIERARCHICALLY:

1. i have succesfully rooted my s22 ultra and running latest version of Magisk App vs:25.2 (25200(33)
which was installed after having patched the file and then flash everything with ODIN and updated again once i setup the phone from scratch and also updated the Magisk 25.2.(25200)
2. then Hide the magisk app and renamed it to "BB"
3. then enabled Zygisk
4. then enable EnforceDenyList
5. Then rebooted and after reboot i installed the following modules
6. Installed Module MagiskHide Props Config vs:6.1.2-v137 by Didgeridoohan ( this is the latest NOV 9 2021, I CANNOT FIND ANYTHING UPDATED AFTER THAT IN -->https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf/releases?page=1) reboot and then
7. installed Universal SafetyNet Fix v2.2.1 by kdrag0n then reboot
8. Installed Module Zygisk-LSPosed v.1.8.3 (6552) by LSPosed developers, then reboot
9. Then i installed Microsoft Teams vs:1416/1.0.0.2022354201 & Company Portal vs: 5.0.5606.0 & Samsung Health vs 6.22.2.007
9. Then i came to the part its being discussed in this forum to ConfigureDenyList and i have mediculesly checked all the boxes to include all the above apps and guess what they are all FAILING ! LOL

I thought maybe someone has any workaround and if there is anything i can do , cause i cannot use these app which are necessary in my daily to daily activities. Please for your inputs and thoughts

Have a good one

Cheers
 

vrtsvas

Senior Member
Jul 22, 2014
64
13
I didn't see this in your list:

Shamiko hides Zygisk and takes over the deny list.

Also make sure you have a pin or password lock active and no ad blocker running.

Clear data on the apps, reboot and try again.
i have shamiko as well i have tried with both either enforce deny list and shamiko and have cleared the data from the apps and cache and still the same story , nothing bypasses and nothing work, the worst thing of all is that day by day i am discovering that other applications don't wotk like netflix outlook and more, any thoughts ?
 

alberto88a

Senior Member
Mar 5, 2010
729
73
Giarre
I'm still with an older version of Company Portal and a crontab to flash the magisk module to detach it from the PlayStore to avoid the auto-update..

For now it's working, but at one point Teams and Outlook won't work anymore with a not updated MSFT intune...
 

Zranz

Member
Mar 25, 2015
12
6
Is it that the newest versions of company portal detect root even with the above steps? I have tried to connect to the Company Portal with the USNF mod, Shamiko modules, Company Portal in denied list, Magisk hidden... and no success after repeated reboots and cache clears. My bank accounts work, and so does Netflix and paying with Google Wallet. Any new instructions? Anyone experiencing being blocked with the new versions of company portal too?

I tried downloading an old apk from July of Company Portal, but I still did not manage to connect. Can you be more specific @alberto88a how you did install it?
 

Jirachilover

Member
Jan 18, 2021
17
2
Alright.
You need
1) Shamiko mod (remember to disable enforce denylist) - am using 0.5.2
2) magisk - which I personally updated to 25.2
3) Universal Safetynet fix - it needs to be the 2.3.1 which is modded by Displax

Check YASNAC
My YASNAC passes Basic Integrity and CTS profile match and has BASIC evaluation type.
I check the Play Integrity checker. It MEETS_DEVICE_INTEGRITY and MEETS_BASIC_INTEGRITY

In magisk, Company Portal is in the Configure Deny List, Teams and any other microsoft app needs to be fully configured to enable every component (you can expand the menu items by clicking the name of the application).

I am on the latest company portal and teams and stuff and it's working
 

Jirachilover

Member
Jan 18, 2021
17
2
Is it that the newest versions of company portal detect root even with the above steps? I have tried to connect to the Company Portal with the USNF mod, Shamiko modules, Company Portal in denied list, Magisk hidden... and no success after repeated reboots and cache clears. My bank accounts work, and so does Netflix and paying with Google Wallet. Any new instructions? Anyone experiencing being blocked with the new versions of company portal too?

I tried downloading an old apk from July of Company Portal, but I still did not manage to connect. Can you be more specific @alberto88a how you did install it?
make sure the universal safetynet is Displax' 2.3.1 as safetynet is gradually being replaced by play integrity
 

Jirachilover

Member
Jan 18, 2021
17
2
Guys Hello to everyone,

I have rooted my S22 ULTRA SM-908E snapdragon and i face the same problem for
1. Microsoft Teams vs:1416/1.0.0.2022354201
2. Company Portal vs: 5.0.5606.0
3.Samsung Health vs 6.22.2.007

I HAVE FOLLOWED EXACTLY THE FOLLOWING STEPS BELOW HIERARCHICALLY:

1. i have succesfully rooted my s22 ultra and running latest version of Magisk App vs:25.2 (25200(33)
which was installed after having patched the file and then flash everything with ODIN and updated again once i setup the phone from scratch and also updated the Magisk 25.2.(25200)
2. then Hide the magisk app and renamed it to "BB"
3. then enabled Zygisk
4. then enable EnforceDenyList
5. Then rebooted and after reboot i installed the following modules
6. Installed Module MagiskHide Props Config vs:6.1.2-v137 by Didgeridoohan ( this is the latest NOV 9 2021, I CANNOT FIND ANYTHING UPDATED AFTER THAT IN -->https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf/releases?page=1) reboot and then
7. installed Universal SafetyNet Fix v2.2.1 by kdrag0n then reboot
8. Installed Module Zygisk-LSPosed v.1.8.3 (6552) by LSPosed developers, then reboot
9. Then i installed Microsoft Teams vs:1416/1.0.0.2022354201 & Company Portal vs: 5.0.5606.0 & Samsung Health vs 6.22.2.007
9. Then i came to the part its being discussed in this forum to ConfigureDenyList and i have mediculesly checked all the boxes to include all the above apps and guess what they are all FAILING ! LOL

I thought maybe someone has any workaround and if there is anything i can do , cause i cannot use these app which are necessary in my daily to daily activities. Please for your inputs and thoughts

Have a good one

Cheers
you need to disable the MagiskHide props config and install the newest version of USNF https://forum.xda-developers.com/t/...tynet-fix-2-3-1.4217823/page-91#post-87198517
 

deep_raman

Member
Feb 3, 2015
26
4
Gurgaon
Alright.
You need
1) Shamiko mod (remember to disable enforce denylist) - am using 0.5.2
2) magisk - which I personally updated to 25.2
3) Universal Safetynet fix - it needs to be the 2.3.1 which is modded by Displax

Check YASNAC
My YASNAC passes Basic Integrity and CTS profile match and has BASIC evaluation type.
I check the Play Integrity checker. It MEETS_DEVICE_INTEGRITY and MEETS_BASIC_INTEGRITY

In magisk, Company Portal is in the Configure Deny List, Teams and any other microsoft app needs to be fully configured to enable every component (you can expand the menu items by clicking the name of the application).

I am on the latest company portal and teams and stuff and it's working
Thanks dude, this method is working for me as well. Cheers :)
 
  • Like
Reactions: Jirachilover

Zranz

Member
Mar 25, 2015
12
6
It still does not work for me. I am using Displax' 2.3.1 USFN, I also reset and disabled MagiskHide props. I install company portal from play store, add it to deny list, Shamiko 0.5.2 says it's blocking. I then reboot, try to sign in and I am denied entry. I am using a Oneplus 6 on LOS 19.1. I have read in forums that Oneplus devices had issues when logging company portal with Android 12, something related to their firmware. Could it be related?
 

Jirachilover

Member
Jan 18, 2021
17
2
The normal error message you'll receive if you can't get intune and the microsoft apps to play nice with your root is that your device is non compliant/rooted with a popup every time you try and open teams, outlook etc. If you have issues with signing in it might be another problem (did do a search around the oppo thing and saw people have issues but I'm not sure)
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    Alright.
    You need
    1) Shamiko mod (remember to disable enforce denylist) - am using 0.5.2
    2) magisk - which I personally updated to 25.2
    3) Universal Safetynet fix - it needs to be the 2.3.1 which is modded by Displax

    Check YASNAC
    My YASNAC passes Basic Integrity and CTS profile match and has BASIC evaluation type.
    I check the Play Integrity checker. It MEETS_DEVICE_INTEGRITY and MEETS_BASIC_INTEGRITY

    In magisk, Company Portal is in the Configure Deny List, Teams and any other microsoft app needs to be fully configured to enable every component (you can expand the menu items by clicking the name of the application).

    I am on the latest company portal and teams and stuff and it's working
    1
    Alright.
    You need
    1) Shamiko mod (remember to disable enforce denylist) - am using 0.5.2
    2) magisk - which I personally updated to 25.2
    3) Universal Safetynet fix - it needs to be the 2.3.1 which is modded by Displax

    Check YASNAC
    My YASNAC passes Basic Integrity and CTS profile match and has BASIC evaluation type.
    I check the Play Integrity checker. It MEETS_DEVICE_INTEGRITY and MEETS_BASIC_INTEGRITY

    In magisk, Company Portal is in the Configure Deny List, Teams and any other microsoft app needs to be fully configured to enable every component (you can expand the menu items by clicking the name of the application).

    I am on the latest company portal and teams and stuff and it's working
    Thanks dude, this method is working for me as well. Cheers :)
    1
    1. Samsung S20U LDU, Android 11
    2. Magisk 24.3
      1. Magisk Modules (latest):
        1. Magiskhide Props Config,
        2. Shamiko,
        3. Universal SafetyNetFix
      2. Zygisk = On,
      3. Enforce DenyList = Off
      4. DenyList ((WITH ALL SUBCOMPONENTS: blue line over app name should be full!) :
        1. Company Portal,
        2. Google Play store,
        3. Google Services Framework (does not have chekmark, because it is known Magisk bug)),
        4. Teams
      5. Magisk itself is renamed: app name changed
    3. App data for Intune and Teams is cleared
    4. YASNAC: BASIC, integrity and CTS passed
    5. Play Integrity checker: MEETS_DEVICE_INTEGRITY, MEETS_BASIC_INTEGRITY passed, MEETS_STRONG_INTEGRITY failed (because its impossible for rooted device)
    6. Intune Company Portal 5.0.5519.0 manually installed from ApkPure
    this helps for me. Teams now work
  • 13
    This question was asked many times and often all the answers did not work:
    How do I get Magisk to work with Microsoft Apps like Microsoft Teams, Microsoft Outlook etc (protected by Microsoft Intune)?

    With Magisk 24.1 it is finally possible to bypass the protection of Microsoft Intune. Here are the instructions on how to proceed. The solution requires root!
    - First of all you need the latest Magisk version (24.1 or higher).
    - After installation select:
    - Settings -> Hide the Magisk app : Select a new name of your choice (I use 'MM' for 'Magisk Manager')
    - After Magisk has been hidden open 'Settings' and enable 'Zygisk (Beta)'
    - Select 'Enfore DenyList'
    - Select 'Configure DenyList'
    - Use the magnifying glass and search for "Microsoft". You will find "Company Portal" (also known as Microsoft Intune). Important: Expand the view by clicking on the entry. You will see something like this:
    before.png

    - Now, with the expaned view, click the entry. It will look like this:
    after.png

    - Repeat these step (first expand, then clicking the button) on each other Microsoft App - e.g. Microsoft Teams, Microsoft Outlook, ...
    Important: If you do not expand the view it will not work!

    Now, to make sure that this solution is really working ....
    - Install YASNAC - Yet Another SafetyNet Attestation Checker from the Google Play Store.
    - Run the SafetyNet Attestation on YASNAC
    When it fails is shows something like this:
    S-XC-3lnvkR7nblwC2dDZh0uv_Lk2AskoGUgmAS7Ccta5Txk5vC6RSkVbQ3zGXKwCpo=s0

    - To fix the Basic integrity you need to install the latest Universal SafetyNet Fix from Github.
    - Download the ZIP and install it as a module in Magisk (24.1 or higher).
    - Reboot again and restart the YASNAC - Yet Another SafetyNet Attestation Checker. It should now pass (at least) the Basic integration.

    Now your Microsoft Apps should work. :cool:

    If this is not the case you might also need to fix your CTS profile match. You can resolve this by doing the following steps:
    - Download and install the latest release of MagiskHide Props Config from Github in Magisk as a Module.
    - Restart your Phone!
    - Launch a Terminal of your choice (e.g. Termux, Android Terminal Emulator, ...).
    - Type 'su' (enter) and agree to the root dialog.
    - Now type 'props' (enter) ...
    ... select '1' for Edit device fingerprints
    ... select 'f' for Pick a certified fingerprint
    ... select a vendor of your phone (e.g. Xiaomi, Poco, Google, Samsung, Oneplus ...)
    ... select your phone (if available) or a phone which is next to your phone with your installed Android version (for example 9,10,11).
    - After selecting the fingerprint for your device, and when the program ends, reboot your device

    After reboot another check of YASNAC - Yet Another SafetyNet Attestation Checker should the look like this:
    ufTYzRDcL2yWF46hikmY4FirIxP4ZsDENWO3Tokb9pEIEDAV7iS4xh6De9wfk4fWzA=w1837-h977-rw


    Important:
    Once YASNAC shows Pass on Basic integrity and CTS profile match you can use any Banking App (e.g. Google Pay, N26, DKB, Sparkasse, Revolut, bunq, <whatever>) by repeating the inital steps for each of these Apps and it should not detect root. You might need to clear the data before the app stops complaining about a rooted device (example Google Pay).

    If you find this tutorial helpful please leave a like for this post - thanks in advance.

    BTW: @skuppej did the same steps in another post before my post with success. You can read it here.
    5
    It seems to be resolved with yesterday's update of Shamiko to 0.5.2
    After yesterday's update the settings are working fine. Will update in case the issue resurface.
    Download from Github: https://github.com/LSPosed/LSPosed.github.io/releases - just in case somebody is searching for it as I did... :cool:
    4
    I have installed Universal SafetyNet Fix MOD by Displax: https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-2-3-1.4217823/post-87198517
    Then:
    I have rebooted my phone,
    installed Shamiko module https://github.com/LSPosed/LSPosed.github.io/releases
    Rebooted again

    Outlook seems to work... lets see in couple of days if it would discover my phone is rooted.
    But in Magisk Modules I see:
    View attachment 5671539
    You have to 'disable' the Enforce Denylist slider in Magisk settings so that Zygisk is not applying Denylist, as the Zygisk process can be detected by apps. Shamiko will enforce denylist but also hide the zygisk process. Disabling the switch let's Shamiko do it's magic.
    4
    It seems to be resolved with yesterday's update of Shamiko to 0.5.2
    After yesterday's update the settings are working fine. Will update in case the issue resurface.
    4
    Alright, I'm fairly confident now the problem seems to be the new Play Integrity API from Google, and not some nefarious new root tracking method from MS, which makes a lot more sense.

    More info on PI API here: https://forum.xda-developers.com/t/...tynet-fix-2-3-1.4217823/page-90#post-87188299

    Basically what is happening is that GMS is checking for the highest level of system integrity available on your phone. If your phone fingerprint (model+OS) supports hardware-backed authentication, the check will fail if that isn't returned intact. If your phone only supports software-level integrity checking, that is what gets returned.

    It appears Company Portal is now checking for Play Integrity, and many more root-secure apps, like your banking ones, are sure to follow.

    @Displax published a USNF mod that injects an old Pixel XL fingerprint into GMS using Zygisk which avoids changing global props and causing issues elsewhere: https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-2-3-1.4217823/post-87198517.

    Usage:
    1. Delete/disable/reset MagiskHidePropsConfig (if installed).
    2. Just install it over old Universal SafetyNet Fix and reboot device.

    This means PI API will sign off on device integrity at the software level, which you can check using the Play Integrity API Checker from @1nikolas: https://forum.xda-developers.com/t/...cussion-thread.3906703/page-130#post-87182459. A more in-depth version that also checks for hardware-backed authentication should be available in the Play Store soon.

    On *top* of all this, it seems Company Portal was detecting the zygisk process in memory. Shamiko 0.5.2 seems to block this by also hiding the zygisk process. HMA doesn't seem to be necessary so far but I'm monitoring.

    Doing this my phone has been stable on Company Portal 5.0.556.0 for over 24h through reboot and overnight charge.

    It's not clear yet how fragile Displax's USNF mod solution will be, hopefully this issue will be incorporated into future USNF releases. But absolute hardware-backed checks may be only a few years down the line and will likely make hiding root near impossible.

    Hope this helps some others.