This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 84%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
Hello,
For mobile devices, our conditional access rule grants access to all apps if MFA and compliant device is satisfied.
Accessing our web app through Edge (on an enrolled and compliant mobile device), grants access
Accessing the same web app through Teams or Sharepoint app on the same device, denies access.
From the sign in log:
"The requested resource can only be accessed using a compliant device. The user is either using device not managed by a Mobile-Device-Management (MDM) agent like Intune, or it's using an application that doesn't support device authentication."
Can someone confirm this is because device authentication is not supported through these apps, only Edge?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 13%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Hi, @GonWild
I'm not quite sure what you want Conditional Access to implement or if you can provide more information, such as the Settings interface, apps you have excluded.
Otherwise, You can try "What if" feature to better understand how policies will affect your users and devices. Please refer to:
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/what-if-tool
If there is anything misunderstanding, feel free to let us know.
Regards,
Jarvis
thanks for your reply, let me try to clarify:
For mobile devices, our conditional access rule grants access to all apps if MFA and compliant device is satisfied.
Accessing our web app through Edge (on an enrolled and compliant mobile device), grants access
Accessing the same web app through Teams or Sharepoint app on the same device, denies access. From the sign in log:
"The requested resource can only be accessed using a compliant device. The user is either using device not managed by a Mobile-Device-Management (MDM) agent like Intune, or it's using an application that doesn't support device authentication."
Hence my question if someone can confirm that the Teams and Sharepoint apps don't support device authentication?
So with this CA rule applied access cant be granted in both scenarios, because only Edge can see that the device is in fact compliant, and Teams and Sharepoint cannot ?
@GonWild Thanks for your update, By research, I find this description maybe can explain:
Users on unmanaged devices will have browser-only access with no ability to download, print, or sync files. They also won't be able to access content through apps, including the Microsoft Office desktop apps
More details please refer to: https://learn.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices
Regards,
Jarvis
This is not regarding an unmanaged device. It is intune managed and compliant. I'm trying to understand if the apps mentioned are not supporting the ability to see device compliance, but haven't been able to. So this link doesn't answer my question.