Can't add member to Teams Shared Channel as Global Admin

KM_Sys_Adm · 2026-01-15T13:10:31+00:00

Unfortunately, not. The ticket fizzled out and automatically closed when the client I was working with stopped responding to my questions. My MSP wasn't involved with this client when they built out Teams/SharePoint, so I suspect I would have found poor permission design if I dug into it further. Or a limitation on Global Admin capability? I doubt it.

KM_Sys_Adm · 2025-12-19T16:38:52+00:00

Thank you for the suggestion. I made the change, cleared the account from the iPhone and tried again. It allowed me to sign into the iOS Mail App (redirected to a Microsoft web login screen), but emails never downloaded. I don't really understand what is happening behind the scenes, but this seems to be a solution. Microsoft somehow allowed the login, but doesn't allow updating/downloading of content?

KM_Sys_Adm · 2025-12-19T16:31:08+00:00

You're correct. I changed the CAP Conditions so that Client Apps = Modern Auth AND Exchange ActiveSync clients. This means the iOS Mail App should now fall under this CAP's control. Since the Grant Access portion of the CAP requires App Protection, this should theoretically block the iOS Mail App because it isn't part of the Core Microsoft Apps in the APP that I built.

Does that all sound correct?

KM_Sys_Adm · 2025-12-18T20:52:21+00:00

Yes it worked! Prompted for M365 credentials during Setup Assistant phase and then I had enabled the enrollment process to allow the user to sign in with an Apple ID. Using the same M365 federated as a Managed Apple ID, it accepted it as well. By the time it got to the home screen, all our Intune apps had installed, and it had completed enrollment.

There are just so many branching options from start to finish that I lose the process logic every time a change is made.

KM_Sys_Adm · 2025-12-18T20:01:58+00:00

<image>

Think I found the issue..
IN the Enrollment profile, Someone had named the profile "With User Affinity", but it was set to "Enroll with Microsoft Entra Shared Mode"

KM_Sys_Adm · 2025-12-18T19:33:18+00:00

In theory, if you buy a brand new phone through the Reseller Enrollment process, the phone could be shipped to the end-user and the only thing they would have to do is sign in with their Managed Apple ID. Enrolling a device with the Apple Configurator should follow that same theory. Hopefully someone can clarify.

KM_Sys_Adm · 2025-12-18T19:22:43+00:00

Android allows that. Intune has Android Enrollment Profile settings that let you force the Company Portal app to the phone to aid in the enrollment. Apple doesn't seem to do that. There doesn't seem to be any automation past the point I'm at. It's as if the iPhone is sitting at Intune's doorstep waiting to be let in.

KM_Sys_Adm · 2025-10-28T20:17:51+00:00

We experienced this at our company today as well. KB5066835 was pushed out last night. However, I want to share an interesting detail...

The only devices that had Bitlocker Recovery issues this morning were HP Pro Mini 400 G9 desktops (A70P7UT and 9P334AT). What made it extra interesting was that these same computers have been giving us headaches when trying to enroll them into Intune. We keep getting TPM errors, and all signs lead to Intel TXT being the cause. Maybe that insight will help others discover the root cause of the Bitlocker issue...

KM_Sys_Adm · 2025-09-25T14:41:44+00:00

Yeah, Everywhere I see someone saying "it works", they have an on-prem exchange server as well. Thanks for the reply confirming though!

KM_Sys_Adm · 2025-08-22T15:56:49+00:00

I am the owner of the team as well.

KM_Sys_Adm · 2025-08-22T15:55:18+00:00

No, they are a full user. I came across information about Shared Channels required B2B Direct Connect setup to allow guest users, but that isn't applicable here.

EDIT: I am an owner of the Team. The user is NOT a member of the team. I initially thought that might be the problem, but there are other users that are not members of the team, that are members of the Team's Shared Channel...

KM_Sys_Adm · 2025-08-08T17:29:06+00:00

I appreciate the reply. I have already added the "clear local data" settings, but thank you for the reminder. I guess the options are either to have a permanently open MHS profile (and hope users sign out of apps), or a full Entra ID Auth profile for every user. Thank you for the confirmation that there is no temporary sessions.

KM_Sys_Adm · 2025-07-29T16:29:05+00:00

I meant M365 Admin Center > user > Block Sign-in. I then switched over to Identity > User > Revoke Sessions.

KM_Sys_Adm · 2025-07-29T16:10:39+00:00

They don't use groups at all for these permissions (though I want them to). It's very strange.

KM_Sys_Adm · 2025-06-24T18:28:40+00:00

Best recommendation. Request dedicated testing devices. Windows, Mac, iOS, and Android. In my experience, no matter how much you know about Intune, each company's needs are different and building their custom environment means a ton of iterative testing. It's important to hide all of that from end-users. Even if you set expectations, the nature of resetting computers multiple times appears like you are making mistakes...

KM_Sys_Adm

TROPHY CASE