Hello @PB_Jberg
Thank you for reaching out. I observed this can happen if end users use InPrivate session or use Google Chrome browser. I would like to share following best practices.
- Try to Use Edge when using device based Conditional Access policies. As, Microsoft Edge natively supports Azure AD Conditional Access. There's no need to any additional configuration for supporting this browser. When you're signed into a Microsoft Edge profile with enterprise Azure AD credentials, Microsoft Edge allows seamless access to enterprise cloud resources protected using Conditional Access.
- Additionally, if you Edge build version 85+ it would require user to be signed into the browser profile for Conditional access policy to work as expected.
- InPrivate session is not supported in Conditional Access for all browsers, as there's no concept of a signed in profile in this mode and hence browser fails to retrieve PRT and device claims when performing authentication.
- When using Chrome, you would need to make sure that you have Windows Account or Office Extension installed to avoid getting into scenario where device claims are not passed and Sign-in gets blocked.
All above screenshots are sourced from following Microsoft Edge or Azure AD Conditional Access Documentations:
Once these settings or requirements are being met on the device then you should not see the sign-in failures due to Conditional Access Policies if the device is Azure AD joined/Hybrid Azure AD joined.
I hope this answer helps to resolve your issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.