The customer is trying to configure the Microsoft Intune endpoint. However, the endpoint failed to log in and connect to the Intune services due to the BLOCK_DISALLOWED_USER error for Microsoft PowerApps Gatelets:

https://app.elastica.net/static/ng/appLogin/index.html#/blocked?code=BLOCK_DISALLOWED_USER&dest_url=https://graph.windows.net/...../&app=Microsoft PowerApps&username=&tenant=Customer's_tenant_ID&agentless=true

Release : 1

The customer configured an authentication bypass for the URL graph.windows.net in this case. Therefore, the traffic sent to the CASB Gateway was missing the username.

After removing this URL from the authentication bypass list, the endpoint could log in successfully and connect to the Intune portal.

If you use ProxyFowarding or Management Center to modify the default WSS forwarding rules, please include the SSL interception and Authentication for any CASB domain of interest. Specifically, please check identity and authentication for WSS: If your WSS account is provisioned for CloudSOC Gateway (CloudSOC-only mode), then Auth Connector is not required. WSS does not require users or groups for policies. The on-premises ProxySG appliance provides the user/group information to CloudSOC. CloudSOC Gateway uses SpanVA to map users to groups.

Please view the Setting Up Proxy Forwarding tech doc for complete technical requirements.