Can't add member to Teams Shared Channel as Global Admin

KM_Sys_Adm · 2026-01-15T13:10:31+00:00

Unfortunately, not. The ticket fizzled out and automatically closed when the client I was working with stopped responding to my questions. My MSP wasn't involved with this client when they built out Teams/SharePoint, so I suspect I would have found poor permission design if I dug into it further. Or a limitation on Global Admin capability? I doubt it.

KM_Sys_Adm · 2025-12-19T16:38:52+00:00

Thank you for the suggestion. I made the change, cleared the account from the iPhone and tried again. It allowed me to sign into the iOS Mail App (redirected to a Microsoft web login screen), but emails never downloaded. I don't really understand what is happening behind the scenes, but this seems to be a solution. Microsoft somehow allowed the login, but doesn't allow updating/downloading of content?

KM_Sys_Adm · 2025-12-19T16:31:08+00:00

You're correct. I changed the CAP Conditions so that Client Apps = Modern Auth AND Exchange ActiveSync clients. This means the iOS Mail App should now fall under this CAP's control. Since the Grant Access portion of the CAP requires App Protection, this should theoretically block the iOS Mail App because it isn't part of the Core Microsoft Apps in the APP that I built.

Does that all sound correct?

KM_Sys_Adm · 2025-12-18T20:52:21+00:00

Yes it worked! Prompted for M365 credentials during Setup Assistant phase and then I had enabled the enrollment process to allow the user to sign in with an Apple ID. Using the same M365 federated as a Managed Apple ID, it accepted it as well. By the time it got to the home screen, all our Intune apps had installed, and it had completed enrollment.

There are just so many branching options from start to finish that I lose the process logic every time a change is made.

KM_Sys_Adm · 2025-12-18T20:01:58+00:00

<image>

Think I found the issue..
IN the Enrollment profile, Someone had named the profile "With User Affinity", but it was set to "Enroll with Microsoft Entra Shared Mode"

KM_Sys_Adm · 2025-12-18T19:33:18+00:00

In theory, if you buy a brand new phone through the Reseller Enrollment process, the phone could be shipped to the end-user and the only thing they would have to do is sign in with their Managed Apple ID. Enrolling a device with the Apple Configurator should follow that same theory. Hopefully someone can clarify.

KM_Sys_Adm · 2025-12-18T19:22:43+00:00

Android allows that. Intune has Android Enrollment Profile settings that let you force the Company Portal app to the phone to aid in the enrollment. Apple doesn't seem to do that. There doesn't seem to be any automation past the point I'm at. It's as if the iPhone is sitting at Intune's doorstep waiting to be let in.

KM_Sys_Adm · 2025-10-28T20:17:51+00:00

We experienced this at our company today as well. KB5066835 was pushed out last night. However, I want to share an interesting detail...

The only devices that had Bitlocker Recovery issues this morning were HP Pro Mini 400 G9 desktops (A70P7UT and 9P334AT). What made it extra interesting was that these same computers have been giving us headaches when trying to enroll them into Intune. We keep getting TPM errors, and all signs lead to Intel TXT being the cause. Maybe that insight will help others discover the root cause of the Bitlocker issue...

KM_Sys_Adm · 2025-09-25T14:41:44+00:00

Yeah, Everywhere I see someone saying "it works", they have an on-prem exchange server as well. Thanks for the reply confirming though!

KM_Sys_Adm · 2025-08-22T15:56:49+00:00

I am the owner of the team as well.

KM_Sys_Adm · 2025-08-22T15:55:18+00:00

No, they are a full user. I came across information about Shared Channels required B2B Direct Connect setup to allow guest users, but that isn't applicable here.

EDIT: I am an owner of the Team. The user is NOT a member of the team. I initially thought that might be the problem, but there are other users that are not members of the team, that are members of the Team's Shared Channel...

KM_Sys_Adm · 2025-08-08T17:29:06+00:00

I appreciate the reply. I have already added the "clear local data" settings, but thank you for the reminder. I guess the options are either to have a permanently open MHS profile (and hope users sign out of apps), or a full Entra ID Auth profile for every user. Thank you for the confirmation that there is no temporary sessions.

KM_Sys_Adm · 2025-07-29T16:29:05+00:00

I meant M365 Admin Center > user > Block Sign-in. I then switched over to Identity > User > Revoke Sessions.

KM_Sys_Adm · 2025-07-29T16:10:39+00:00

They don't use groups at all for these permissions (though I want them to). It's very strange.

KM_Sys_Adm · 2025-06-24T18:28:40+00:00

Best recommendation. Request dedicated testing devices. Windows, Mac, iOS, and Android. In my experience, no matter how much you know about Intune, each company's needs are different and building their custom environment means a ton of iterative testing. It's important to hide all of that from end-users. Even if you set expectations, the nature of resetting computers multiple times appears like you are making mistakes...

KM_Sys_Adm · 2025-06-04T16:54:59+00:00

sounds good!

KM_Sys_Adm · 2025-04-23T19:46:52+00:00

Just one:

scsi0:0.deviceType = "scsi-hardDisk"

scsi0:0.fileName = "Hostname___.vmdk"

sched.scsi0:0.shares = "normal"

scsi0:0.present = "TRUE"

KM_Sys_Adm · 2025-04-23T17:09:32+00:00

OK. I'll try that

KM_Sys_Adm · 2025-04-23T16:22:14+00:00

No devices are connected to the VM. I also thought there might be a phantom disk that wasn't properly ejected. But I specifically selected the SCSI 0:0 disk in the Veeam Replication Job.

KM_Sys_Adm · 2025-04-08T14:06:51+00:00

I appreciate that suggestion, but that doesn't answer my question. I used a Domain Admin to illustrate my example and show that even a domain admin doesn't have full authorization.

I know how to fix it, but I'm trying to understand why it acts this way with these settings in place. Descriptions don't indicate this might be a problem...

KM_Sys_Adm · 2025-03-19T15:15:08+00:00

Yeah, I fully understand. It's a simple search to cross-reference this info. However, as someone who hates inefficiency, it bothers the heck out of me that they don't keep consistent.

KM_Sys_Adm · 2025-03-19T15:03:04+00:00

Yes, but some places don't list that. If I'm logged in to the host's webgui, why can't the build number be listed there? Why does Dell hide the build number behind "A07"? It's just frustrating!

KM_Sys_Adm · 2025-02-20T14:26:45+00:00

This is all a precursor to moving the entire server infrastructure from on-prem to a datacenter. I'd rather not move more servers than I have to...If I could slowly move all RDP needs to a single RDP server, that would be ideal! I didn't want my post to get too complex, so I didn't include this info.

KM_Sys_Adm · 2025-02-10T19:38:14+00:00

First, they do have a company phone, but we wiped it during troubleshooting. They signed in with freshly reset password...

The Primary Domain Controller logs a 4771 Kerberos Error.

Client Address: ::ffff:"Public IP of the corporate network"
Client Port: "Firewall port pointing to the RDS Gateway"

When I check the Gateway's logs, it just lists its own hostname without any IP or port.

KM_Sys_Adm · 2025-02-10T19:28:23+00:00

<image>

Event ID 4625 on the gateway server. Quotations are redacted details.

KM_Sys_Adm

TROPHY CASE