Hybrid Azure AD joined devices show up as Unknown in Conditional Access

PB_Jberg 31 Reputation points
2023-02-24T20:07:40.9433333+00:00

Hello,

We have an issue where sign-ins from devices that are Hybrid Azure AD joined are being blocked by a Conditional Access policy that we have setup to block access from all devices that are not Azure AD joined or Hybrid Azrue AD Joined. We have Conditional Access setup as follows:

  • Grant > Block access
  • Condition > Filter for devices > Exclude filtered devices
  1. trustType Equals Azure AD joined
  2. Or trustType Equals Hybrid Azure AD joined

In the sign-in logs for the user I can see the failure due to our Conditional Access policy. The failure comes from the Not mactched Device which shows up as Unknown.

I see the device in Azure AD as Hybrid Azure AD joined so I am not sure why this is happening. Also, if I run dsregcmd /status, I see that it shows AzureAdJoined : YES.

The strangest part about all of this is that sometimes it works. Sometimes it bypass Conditional Access successfully and I can see the Device ID in the sign-in log as opposed to showing up as Unknown.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

2 answers

Sort by: Most helpful
  1. Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator
    2023-02-28T05:12:19.6633333+00:00

    Hello @PB_Jberg

    Thank you for reaching out. I observed this can happen if end users use InPrivate session or use Google Chrome browser. I would like to share following best practices.

    • Try to Use Edge when using device based Conditional Access policies. As, Microsoft Edge natively supports Azure AD Conditional Access. There's no need to any additional configuration for supporting this browser. When you're signed into a Microsoft Edge profile with enterprise Azure AD credentials, Microsoft Edge allows seamless access to enterprise cloud resources protected using Conditional Access.
    • Additionally, if you Edge build version 85+ it would require user to be signed into the browser profile for Conditional access policy to work as expected.

    User's image

    • InPrivate session is not supported in Conditional Access for all browsers, as there's no concept of a signed in profile in this mode and hence browser fails to retrieve PRT and device claims when performing authentication.

    User's image

    • When using Chrome, you would need to make sure that you have Windows Account or Office Extension installed to avoid getting into scenario where device claims are not passed and Sign-in gets blocked.

    User's image

    All above screenshots are sourced from following Microsoft Edge or Azure AD Conditional Access Documentations:

    Once these settings or requirements are being met on the device then you should not see the sign-in failures due to Conditional Access Policies if the device is Azure AD joined/Hybrid Azure AD joined.

    I hope this answer helps to resolve your issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

  2. Significance20246 0 Reputation points
    2024-01-11T10:05:04.4033333+00:00
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.