Azure SSO using SAML with Conditional Access activated

Pedro Lourenco 21 Reputation points
2022-09-19T14:33:21.663+00:00

Hello,

We have an application that delegates authentication to Azure Active Directory through SAML.
The implemented flow is the one described in https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol.

Recently, one of our customers activated Conditional Access in Azure, and since that change they are not able to sign in our application.
They are getting the following error: 53003 - Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

Apparently the problem is that Azure is not getting the device-related information. Device Identifier is "Not available" and Device State is "Unregistered".
My question is... how can I send this kind of information through SAML and in which format?
Could it be sent in the relaystate?
I can't find any example or identical situation reported.
Thanks for the attention!

Pedro Lourenço

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,826 questions
{count} votes

Accepted answer
  1. Sandeep G-MSFT 19,196 Reputation points Microsoft Employee
    2022-09-25T05:29:13.17+00:00

    @Pedro Lourenco

    I was unable to find any logs at backend as the correlation ID that you shared is more than one month old.

    And to answer your question device information is sent to Azure AD by client as a header. Azure AD captures the device information, validates if this device is registered with Azure AD and also validates if the device is allowed as per CA policy configured.

    If device information is not received by Azure AD then while validating CA policies Azure AD will block that device if there are any policies configured based on devices.

    In your scenario, your security system is supposed to send the device information to Azure AD.

    Do let me now if you have any questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.