Connect
Ask Community
Ask the community
Ask Community

microsoft 365 conditional access sees hexnode-managed kiosk tablets as BYODSolved

Profile photo of noah-blake
noah-blake
Participant
Discussion
Hexnode UEM
5 months ago Jan 18, 2026

We have tablets managed in Hexnode kiosk mode with a few allowed apps. We now need to add an app that uses Microsoft 365 / SSO authentication. 

The issue is that our Microsoft Entra Conditional Access policy treats these tablets as personal or BYOD devices and asks for device registration. Since the tablets are already managed by Hexnode, we cannot enroll them into Intune as well. 

Is there a supported way to let these devices access Microsoft 365 apps while keeping Hexnode as the mdm and kiosk manager? 

topic view count 8 Views

Tags

App Management (474) Kiosk (283) Microsoft Entra ID (17)
Reply

Replies (3)

Marked SolutionPending Review
Profile photo of edenpierce Hexnode Expert image
edenpierce
Hexnode Expert
5 months ago Jan 18, 2026
Marked SolutionPending Review

Hi @noah-blake,

Because a device cannot be managed by two MDM solutions simultaneously, enrolling these tablets into Intune while they remain managed by Hexnode is not the recommended approach.

Instead, you can configure Hexnode as a compliance partner in Microsoft Intune! This allows Hexnode to continue managing the devices while Microsoft Entra ID receives the compliance status it needs for Conditional Access.

Here is the general setup process:

  1. In the Microsoft Intune admin center, go to Tenant administration > Connectors and tokens > Partner compliance management.
  2. Add Hexnode UEM as a compliance partner.
  3. Select the required platform (such as Android or iOS) and assign the relevant user groups.
  4. In Microsoft Entra ID, open the Conditional Access policy used for the Microsoft 365 app.
  5. Under Grant controls, select Require device to be marked as compliant.
  6. In Hexnode UEM, configure the Microsoft Entra ID integration so Hexnode can send the device compliance status to Microsoft.

With this configuration, the device remains exclusively managed by Hexnode, but Entra ID can evaluate it as compliant for M365 access.

Please let me know if you need any help setting up the integration!

Best regards,
Eden Pierce
Hexnode UEM

Marked SolutionPending Review
Profile photo of noah-blake Pro image
noah-blake
Participant
5 months ago Jan 19, 2026
Marked SolutionPending Review

Does this require the Microsoft company portal app to enroll the device into intune? That is the part we were trying to avoid because the tablets are locked down in kiosk mode.

Marked SolutionPending Review
Profile photo of edenpierce Hexnode Expert image
edenpierce
Hexnode Expert
5 months ago Jan 19, 2026
Marked SolutionPending Review

Hi @noah-blake,

The Microsoft broker app is still needed for authentication, but it will not take over device management!

For Android devices, you must install the Microsoft Company Portal app. For iOS, you will use Microsoft Authenticator. Because you are using a kiosk setup, you just need to ensure the required Microsoft broker app is added to your kiosk policy as a background app (or allowlisted) so it can function during SSO authentication.

The broker app simply acts as the authentication bridge for Microsoft sign-in. Hexnode remains your sole MDM, and Intune receives the compliance signal via the partner integration rather than through direct device enrollment.

Please let me know if you run into any issues adding the broker app to your kiosk policy!

Best regards,
Eden Pierce
Hexnode UEM

Load more
Save
Related Topics

Leaderboard

Popular Tags

ABM (69)
Android (593)
iOS (439)
macOS (536)
Windows (402)
Apple TV (33)
App Management (474)
Enrollment (156)
Location (34)
Kiosk (283)
Scripts (103)
ADE (61)
OS Updates (87)
Android Enterprise (161)
View all