UDM: Conditional Access – Saving of Access Rules to Exchange has failed (error: A2CE0100)
A few days ago we have been working on extending our hybrid demo environment. We made some changes required to demonstrate conditional access with Exchange online. Details on how we set things up will follow shortly in another post.
Once the basics were in place we implemented a policy that would block a user to access their mailbox when using an unmanaged device.
The policy was properly deployed to a collection which included my demo user, however I noticed my demo user could still sync his mail on an iPhone 5 which was not enrolled. Even after an hour or two this condition remained unchanged so something was wrong.
Initial investigation did not show anything out of the ordinary in the Configuration Manager console. However in the Intune console I noticed an entry in the Alerts node:
Saving of Access Rules to Exchange has failed
Microsoft Intune was unable to set the requested mobile device access rules or related settings in Exchange due to the following error: A2CE0100
Unfortunately the “View Troubleshooting Information” link is broken. So is the one on the top right in the console and the right-click one. As such it was hard to find any further details on this specific error.
I made a few attempts to get things working, including the following:
– Modifying the compliance policy (increasing the revision number)
– Removing and adding the user from and to the target collection
– Removing and recreating the deployment of the compliance policy
I can confirm none of the above resolves the issue. The policy still did not get applied.
In the end to get things working again what I had to do was to delete the compliance policy, recreate it from scratch, and deploy it again.
When synching mail on the iPhone 5 a few minutes later, the policy kicked in.
Although the problem was solved and we now have a working demo scenario; in the end I have no idea what went wrong initially and how I could have been troubleshooting this in a more optimized way. Whatever it was it does not seem to resolve itself. Also the repeat count of the alert not increasing indicates the system itself does not do any retries.
I definitely see a few areas for improvement here:
- Fixing the link to the troubleshooting information so the admin can troubleshoot properly and in a most optimized way.
- Exposing Intune alerts to the Configuration Manager Console so the admin does not have to look in multiple locations.
- Having the system retry the action “Saving of Access Rules” at least a few times. In case the alert repeat counter increases the admin can further look into a blocking issue. Otherwise there may have just been a glitch and the issue would have resolved itself.
If you are ever facing the same issue, I hope this article will save you some troubleshooting time!