2,564 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 76%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPT%3C/text%3E%3C/svg%3E)
Same issue here. Definitely something caused by changes from Microsoft's side. Re-install was the only thing solving it for us.
Conditional Access problem - OneDrive Sync client not passing device ID
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 51%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEC%3C/text%3E%3C/svg%3E)
Emmett Carey
51
Reputation points
I'm having a problem with a computer that is not able to sign into the OneDrive client on a company managed computer. The device is hybrid joined to azure ad, in a compliant state, and there is no problem authenticating to other applications. For some reason, OneDrive is failing to authenticate and when I look at the sign in logs in azure it says "Device is not in required device state: {state}. Conditional Access policy requires a compliant device, and the device is not compliant."
But the device is definitely compliant and other applications are authenticating without a problem. when I looked at the failed login attempt in the sign in logs, there is no device ID.
Microsoft 365 and Office OneDrive For business Windows
{count} votes
-
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator2023-01-14T00:50:30.4333333+00:00 Thank you for your post!
Error Message: Azure AD Authentication and authorization error codes
AADSTS53000: Device is not in required device state: {state}. Conditional Access policy requires a compliant device, and the device is not compliant. The user must enroll their device with an approved MDM provider like Intune.- From the errors that you're receiving can you share any Correlation IDs and Timestamps that you're seeing, so I can check our logs for any indication as to what is causing this? For more info.
- Within your Sign-in logs, can you open the specific log(s) to see which Conditional Access Policy is causing this failure? For more info - Policy not working as intended.
- Can you also view the Conditional Access Policy details to see if there's additional info to help troubleshoot this issue?
Additional Links:
Common Conditional Access error codesAzure Enterprise Application: Sign-in error code 53000 - Related Issue
Thank you for your time and patience throughout this issue.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 4%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETD%3C/text%3E%3C/svg%3E)
Terry Duckett 0 Reputation points2023-01-16T19:29:36.1533333+00:00 Same issue with my tenant. I've had three users with the issue. I've found that going to onedrive.com and then clicking the "sync" button in the middle ribbon will fix it. At least, so far.
-
Emmett Carey 51 Reputation points
2023-01-17T15:21:49.88+00:00 Here is an example:
Correlation ID: d323651f-4d66-40c7-b570-b840a7cdaa2f
date/time 1/9/2023 5:12 PM
conditional access policy CA03 - All Apps:
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 94%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERE%3C/text%3E%3C/svg%3E)
Ryan Evans 0 Reputation points2023-01-30T09:16:00.4966667+00:00 Any fix for this? I've been it a couple of times last week for users and now my own device is doing the same.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 53%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
Riaan Smith 10 Reputation points2023-02-20T14:12:09.7433333+00:00 We have the same issue in various MS applications.
Sometimes OneDrive, sometimes Outlook.During this time, other applications will send the Device ID with the sign-in information. Only a specific application will not. This is very random, and creates a lot of frustration since devices are Azure AD Hybrid joined, and Compliant as per requirements of the CA poly.
Sign in to comment
4 answers
Sort by: Most helpful
-
-
David Broggy 6,291 Reputation points MVP Volunteer Moderator2023-01-12T15:30:05.5833333+00:00 Hi Emmett,
Can you confirm that when you go into [https://endpoint.microsoft.com/ you see that the device is compliant?
Screenshots may help.
-
Emmett Carey 51 Reputation points
2023-01-12T17:47:09.47+00:00 Yes - The device is compliant and other applications are able to authenticate through the same conditional access policy with no problem. There is no issue with device compliance.
-
Emmett Carey 51 Reputation points
2023-01-14T00:39:14.2+00:00 Definitely. The device is compliant and other applications are able to authenticate through the same conditional access policy with no problem. There is no issue with device compliance.
-
Emmett Carey 51 Reputation points
2023-01-17T15:19:06.2266667+00:00 Yes, I did that. The device is definitely compliant.
Sign in to comment -
-
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator
2023-01-24T22:26:55.8666667+00:00 Thank you for following up on this!
Error Message:
Device is not in required device state: {state}. Conditional Access policy required domain joined device, and the device is not domain joined.From the error message within your screenshot, I was able to find a related issue and it looks like the problem could be related to the Primary Refresh Token (PRT) not being present.
In order to troubleshoot this issue further, I'd recommend working with our support team on this since we'll have to take a closer look at your logs and network traces in order to determine the root cause. For more info - Troubleshoot post-join authentication issues.
Related issue - I'm having a problem with some computers unable to access applications due to the conditional access policy saying the device is not compliant.
Thank you for all of your time and patience throughout this issue!
-
Riaan Smith 10 Reputation points
2023-02-20T14:13:48.45+00:00 We have the same issue in various MS applications.
Sometimes OneDrive, sometimes Outlook.During this time, other applications will send the Device ID with the sign-in information. Only a specific application will not. This is very random, and creates a lot of frustration since devices are Azure AD Hybrid joined, and Compliant as per requirements of the CA poly.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 57.00000000000001%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDH%3C/text%3E%3C/svg%3E)
Daniel Hobbs 0 Reputation points2023-03-20T19:53:22.23+00:00 Was there a solution for this? We are having the same issue, only the OneDrive app reporting not domain joined. All other M365 desktop apps are fine. Reported by about 30 of our users so far. Fix seems to be fully signing out of all office apps and resigning in. But this isn’t manageable for 500 or so users.
-
Emmett Carey 51 Reputation points
2023-03-21T16:25:14.9533333+00:00 I haven't found a solution other than doing what you described, Daniel. When I have seen this issue with OneDrive, the only fix was to unlink the account from OneDrive and then sign back in. No idea what causes the problem to begin with, or how to prevent it from happening in the future.
-
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator
2023-03-21T23:13:20.0166667+00:00 Thank you for following up on this and thank you everyone for your time and patience throughout this!
Since you haven't found a solution for your issue, can you share your Support Request number so I can take a closer look into your issue? I've added the OneDrive tag and reached out to our Conditional Access Policy team so they can take a closer look into this issue as well.
Thank you for the workaround! I also found an active case where the customer resolved their issue by closing out of the OneDrive sync client and reopening the client which resumes syncing.
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
-
Emmett Carey 51 Reputation points
2023-03-22T14:28:27.7033333+00:00 34570505 is one of a few different cases I have had open. The suggest fix was to just create a brand new active directory user account. That's not a fix.
-
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator
2023-03-22T15:46:18.9533333+00:00 Thank you for following up on this!
I'll take a look into your issue with our Conditional Access Policy team and update as soon as possible.
-
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator
2023-03-23T22:30:06.4366667+00:00 Thank you for your time and patience throughout this issue!
After working with our Azure AD MFA team, since this issue seems to be only occurring with OneDrive and you're able to authenticate to other apps through the same CA policy, it's recommended to work with the OneDrive team to resolve this issue.
In order to get a proper root cause, it's also recommended to work with our support team so they can do a deep dive into your logs and see why you're experiencing this authentication issue.
Additional Link:
Thank you again for your time and patience throughout this.
-
Emmett Carey 51 Reputation points
2023-03-24T10:11:11.6033333+00:00 @JamesTran-MSFT except that's not true. OneDrive is not the only application this has happened with. I've seen the same thing happen with at least 3 other applications. When I open support tickets about the same problem signing into an application like Adobe Acrobat, I am told that "since the issue is only happening with Adobe Acrobat, you need to work with Adobe support." I have not yet seen anyone from Microsoft support actually take ownership of the problem and try to resolve it. It's always someone else's problem.
-
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator
2023-03-24T15:34:33.9033333+00:00 Thank you for following up on this and I apologize for the frustration.
From your issue/error message, in order to pass the device identity and satisfy the device-based CA policy, it's needed for the App (i.e. OneDrive, Adobe, etc.) or Windows OS (TPM) to send the Primary Refresh Token (PRT).
If other applications are able to send the PRT and authenticate through the same CA policy - during the same timeframe your OneDrive is experiencing this issue. This shows that your device is correctly registered, and it might not be a TPM issue - but for some reason the application (i.e. OneDrive), isn't able to send the PRT. Because of this, we'd need to engage the 1st Party Application's team as this issue isn't the CA policy itself but the app.
Without looking into your logs and environment to see why you're experiencing this issue, it's hard to determine the RCA. From my understanding, I would assume since the application wasn't using the PRT - as shown from your error message, your device identity wasn't reflecting the correct device state. However, after you unlinked your account and signed back in, the PRT was refreshed, and you were able to login.
If you'd like our support team to take a closer look into your logs and environment, please let me know and I'd be happy to enable a free technical support request for your subscription, so you can work with our support engineers to get this issue resolved.
I hope this helps!
Thank you again for all of your time and patience throughout this issue.
Additional Link:
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 45%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELM%3C/text%3E%3C/svg%3E)
L M 0 Reputation points2023-05-11T07:17:49.2333333+00:00 Are you using Biometrics / Windows Hello for Business?
We were presented with very similar symptoms as those listed, and signing in with standard credentials instead fixed the issue. So looks to be token related - at least it was in our case.