I'm having a problem with some computers unable to access applications due to the conditional access policy saying the device is not compliant.

Question

I'm having a problem with some computers unable to access applications due to the conditional access policy saying the device is not compliant.

Emmett Carey 51

This happens to different users on different applications, but it always seems to be an error in the sign in log stating that the device is not compliant, when the device is definitely compliant. One of the errors says: "Device is not in required device state: {state}. Conditional Access policy requires a compliant device, and the device is not compliant. The user must enroll their device with an approved MDM provider like Intune." The device is definitely compliant. I can access other applications with no issues. I only seems to fail on certain applications, and after a reboot it starts to work again. The next day we go through the same issue. The sign in logs always state the device is not compliant, the compliance has never changed.

Dillon Silzer 57,826 Reputation points Volunteer Moderator

2023-01-12T04:38:59.6033333+00:00

Is this happening on all devices?
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2023-01-14T00:50:35.4466667+00:00
@Emmett Carey

Thank you for your post!

Error Message: Azure AD Authentication and authorization error codes

AADSTS53000: Device is not in required device state: {state}. Conditional Access policy requires a compliant device, and the device is not compliant. The user must enroll their device with an approved MDM provider like Intune.

From the errors that you're receiving can you share any Correlation IDs and Timestamps that you're seeing, so I can check our logs for any indication as to what is causing this? For more info.

Within your Sign-in logs, can you open the specific log(s) to see which Conditional Access Policy is causing this failure? For more info - Policy not working as intended.

Can you also view the Conditional Access Policy details to see if there's additional info to help troubleshoot this issue?

Additional Links:
Common Conditional Access error codes

Azure Enterprise Application: Sign-in error code 53000 - Related Issue

Thank you for your time and patience throughout this issue.
Emmett Carey 51 Reputation points

2023-01-17T15:16:43.0433333+00:00

@JamesTran-MSFT

There are many examples, but here is one:

date/time: 1/10/2023, 6:50 AM

correlation ID: 5284f9cb-c22a-4dd7-b3de-52e323afa0b8

Conditional Access Policy: CA04 - All Apps: Personal
Emmett Carey 51 Reputation points

2023-01-17T15:17:54.8766667+00:00

Dillon S-

No, not all devices. Right now, just this one. But I have seen similar issues with other devices.
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2023-01-17T23:41:55.0933333+00:00

@Emmett Carey
Thank you for following up on this!

I wasn't able to find anything using the timestamp that you sent. Would you be able to send a screenshot (keep in mind PII) of your error details, similar to the below? For more info - Troubleshooting sign-in problems with Conditional Access.

Azure AD sign-in events:

If you have an active Azure subscription and would like to work with our support team on this through a one-time free technical support request, please let me know.

Thank you for your time and patience throughout this issue!
Emmett Carey 51 Reputation points

2023-01-18T19:36:29.8166667+00:00

@JamesTran-MSFT here is a screenshot from the sign in logs:

2 answers

Your answer

Dillon Silzer 57,826 Reputation points Volunteer Moderator

2023-01-12T04:38:59.6033333+00:00

Is this happening on all devices?
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2023-01-14T00:50:35.4466667+00:00

@Emmett Carey

Thank you for your post!

Error Message: Azure AD Authentication and authorization error codes

AADSTS53000: Device is not in required device state: {state}. Conditional Access policy requires a compliant device, and the device is not compliant. The user must enroll their device with an approved MDM provider like Intune.

From the errors that you're receiving can you share any Correlation IDs and Timestamps that you're seeing, so I can check our logs for any indication as to what is causing this? For more info.

Within your Sign-in logs, can you open the specific log(s) to see which Conditional Access Policy is causing this failure? For more info - Policy not working as intended.

Can you also view the Conditional Access Policy details to see if there's additional info to help troubleshoot this issue?

Additional Links:
Common Conditional Access error codes

Azure Enterprise Application: Sign-in error code 53000 - Related Issue

Thank you for your time and patience throughout this issue.
Emmett Carey 51 Reputation points

2023-01-17T15:16:43.0433333+00:00

@JamesTran-MSFT

There are many examples, but here is one:

date/time: 1/10/2023, 6:50 AM

correlation ID: 5284f9cb-c22a-4dd7-b3de-52e323afa0b8

Conditional Access Policy: CA04 - All Apps: Personal
Emmett Carey 51 Reputation points

2023-01-17T15:17:54.8766667+00:00

Dillon S-

No, not all devices. Right now, just this one. But I have seen similar issues with other devices.
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2023-01-17T23:41:55.0933333+00:00

@Emmett Carey
Thank you for following up on this!

I wasn't able to find anything using the timestamp that you sent. Would you be able to send a screenshot (keep in mind PII) of your error details, similar to the below? For more info - Troubleshooting sign-in problems with Conditional Access.

Azure AD sign-in events:

If you have an active Azure subscription and would like to work with our support team on this through a one-time free technical support request, please let me know.

Thank you for your time and patience throughout this issue!
Emmett Carey 51 Reputation points

2023-01-18T19:36:29.8166667+00:00

@JamesTran-MSFT here is a screenshot from the sign in logs:

Answer 1

@Emmett Carey

Thank you for following up on this!

Error Message:

Device is not in required device state: {state}. Conditional Access policy required domain joined device, and the device is not domain joined.

From the error message within your screenshot, I was able to find a related issue and it looks like the problem could be related to the Primary Refresh Token (PRT) not being present.

In order to troubleshoot this issue further, I'd recommend working with our support team on this since we'll have to take a closer look at your logs and network traces in order to determine the root cause. For more info - Troubleshoot post-join authentication issues.

Can you please email me with the info below, I'll go ahead and enable a one-time free technical support request for your subscription so you can work with our support engineers to get this issue resolved.

Thank you for all of your time and patience throughout this issue!

Sneha Goswami 0 Reputation points

2023-03-16T20:54:02.0466667+00:00

Hello James,

I have a similar problem. Can you please share the solution for this ?

I have multiple tickets with Microsoft for the same but no luck, the ticket is being passed between Azure AD and Intune Teams :(

Thanks

Sneha

Answer 2

Kearney Mol 0

Having the same thing with one of my users, Outlook and Teams works but OneDrive does not return device ID and thus is blocked. Works in browser, just not the desktop sync client.

Share via

I'm having a problem with some computers unable to access applications due to the conditional access policy saying the device is not compliant.

2 answers

Your answer