Conditional Access stating a Compliant iOS Device is Not-Compliant and blocking sign-in for iOS LastPass App.

Question

Conditional Access stating a Compliant iOS Device is Not-Compliant and blocking sign-in for iOS LastPass App.

Dalton Reeves 136

Sign-In logs show the user is using a non-compliant device, however the device IS compliant.

Sign-in log is also void of the Device ID in this specific log, so it's as if after signing in to the phone app that is SSO'd the deny message says they must use Edge or Safari, but the users are using Safari when they get the message...

	
The user is using a browser that does not support device identification so the device state is unknown. Access to the resource requires a compliant device. To see a list of browsers that support device identification, see https://docs.microsoft.com/azure/active-directory/conditional-access/technical-reference#supported-browsers

Device ID

Browser

Mobile Safari 16.2

Operating System

iOS 16

Compliant

No

Managed

No

Join Type

User's image

UPDATE: As a work around I've removed the Compliant Device requirement for iOS and it works without issue. My assumption is the iOS app is using an embedded Safari browser that for some reason can't play with Conditional Access, however that is a HUGE issue because out LastPass is federated/SSO. Works fine for BYOD Android I might add IF its through the Work Profile.

Dalton Reeves 136 Reputation points

2023-01-17T19:37:26.5233333+00:00

Also appears that iPad Pros are showing up as MacOS and doesn't work with the iOS excluded from the check...
Hamoon Hanifehpour 0 Reputation points

2023-07-17T10:12:10.8833333+00:00

have the same Problem with different apps on iPhone:

Microsoft Teams.

Microsoft Froms.

Microsoft Outlook

device IS compliant but Conditional access says, not it is not.

User logged in different devices same Problem.

MFA deleted and logged in again. same problem.

open Support ticket on Microsoft, and after 100 Meeting, same Problem.

did someone find a solution?
Dalton Reeves 136 Reputation points

2023-07-17T13:16:49.2766667+00:00

Ive never seen this with Microsoft apps. Is it everyone or just a few random people? Can you share the CA policy and show what part of the CA policy is failing from Sign-Ins?

Ive had new issues pop up due to the "MFA strengths" option. Seems the Passwordless option breaks a lot of app sign-ins. But its the apps that use embedded chrome/safari browsers.
Cloud Admin Hamoon Hanifehpour 0 Reputation points

2023-07-17T13:23:47.4466667+00:00
Cloud Admin Hamoon Hanifehpour 0 Reputation points

2023-07-17T13:25:06.44+00:00

Conditional Access ist for Office Apps but for someone works Teams corecctly but Forms does not or OUtlook does not
Hamoon Hanifehpour 0 Reputation points

2023-07-17T13:26:16.0733333+00:00

sorry its me, just with other Username
Dalton Reeves 136 Reputation points

2023-07-17T13:38:36.7666667+00:00

Interesting, here's my setup. I have Compliant OR Hybrid because we have an AVD infrastructure, so that won't apply to you.

But maybe your conditions are causing it, that's the only difference. Unless your Grant is something besides "Require Device be marked as compliant"
Panther Fan 0 Reputation points

2024-05-17T13:12:35.59+00:00

Did you ever get this resolved, we are seeing the same thing, devices marked as non compliant when trying to sign in via outlook, etc yet the device IS compliant. The grant control just has "require compliant device", nothing special.

Microsoft seems unable to figure this one out :(
O365-ISS-Admin-BTG 6 Reputation points

2024-05-27T12:43:14.1866667+00:00

i don't actually see any answer
O365-ISS-Admin-BTG 6 Reputation points

2024-05-27T12:45:59.3366667+00:00

i don't actually see any answersWe have ipads being shown in logs as MAC OS, which we block with Conditional Access.

Additionally, even though made an exception for compliant devices , the device appears an Unknown

5 answers

Your answer

Dalton Reeves 136 Reputation points

2023-01-17T19:37:26.5233333+00:00

Also appears that iPad Pros are showing up as MacOS and doesn't work with the iOS excluded from the check...
Hamoon Hanifehpour 0 Reputation points

2023-07-17T10:12:10.8833333+00:00

have the same Problem with different apps on iPhone:

Microsoft Teams.

Microsoft Froms.

Microsoft Outlook

device IS compliant but Conditional access says, not it is not.

User logged in different devices same Problem.

MFA deleted and logged in again. same problem.

open Support ticket on Microsoft, and after 100 Meeting, same Problem.

did someone find a solution?
Dalton Reeves 136 Reputation points

2023-07-17T13:16:49.2766667+00:00

Ive never seen this with Microsoft apps. Is it everyone or just a few random people? Can you share the CA policy and show what part of the CA policy is failing from Sign-Ins?

Ive had new issues pop up due to the "MFA strengths" option. Seems the Passwordless option breaks a lot of app sign-ins. But its the apps that use embedded chrome/safari browsers.
Cloud Admin Hamoon Hanifehpour 0 Reputation points

2023-07-17T13:23:47.4466667+00:00
Cloud Admin Hamoon Hanifehpour 0 Reputation points

2023-07-17T13:25:06.44+00:00

Conditional Access ist for Office Apps but for someone works Teams corecctly but Forms does not or OUtlook does not
Hamoon Hanifehpour 0 Reputation points

2023-07-17T13:26:16.0733333+00:00

sorry its me, just with other Username
Dalton Reeves 136 Reputation points

2023-07-17T13:38:36.7666667+00:00

Interesting, here's my setup. I have Compliant OR Hybrid because we have an AVD infrastructure, so that won't apply to you.

But maybe your conditions are causing it, that's the only difference. Unless your Grant is something besides "Require Device be marked as compliant"
Panther Fan 0 Reputation points

2024-05-17T13:12:35.59+00:00

Did you ever get this resolved, we are seeing the same thing, devices marked as non compliant when trying to sign in via outlook, etc yet the device IS compliant. The grant control just has "require compliant device", nothing special.

Microsoft seems unable to figure this one out :(
O365-ISS-Admin-BTG 6 Reputation points

2024-05-27T12:43:14.1866667+00:00

i don't actually see any answer
O365-ISS-Admin-BTG 6 Reputation points

2024-05-27T12:45:59.3366667+00:00

i don't actually see any answersWe have ipads being shown in logs as MAC OS, which we block with Conditional Access.

Additionally, even though made an exception for compliant devices , the device appears an Unknown

Answer 1

Attila Balogh 20

I'm also in a very similar situation. I suspect your assumption here is correct:
"My assumption is the iOS app is using an embedded Safari browser that for some reason can't play with Conditional Access"

I can see the sign request coming form:
Browser: Mobile Safari 16.2

Operating System: iOS 16

however, no Device ID is displayed.

Going deeper into troubleshooting:
User's image

The device is clearly joined and compliant, it was confirmed in Intune and by looking up the device info.

Now I wonder what's stopping Safari to pass the Device ID onto the auth flow?

**For those stumbling upon this discussion:

The issue of the in-app browser (Safari) not communicating Device ID with CA was resolved by deploying the following configuration profile:**
[https://learn.microsoft.com/en-us/mem/intune/configuration/use-enterprise-sso-plug-in-ios-ipados-macos

Enterprise SSO plugin resolved our issue and I successfully authenticated with a compliant iPad based on device ID/compliance.

Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2023-01-26T06:06:25.93+00:00

@Attila Balogh, For your scenario, I suggest open case to troubleshoot on it.
Debaprio 1 Reputation point

2025-01-10T18:39:24.9666667+00:00

@Attila Balogh After getting the SSO plugin deployed in the device management profile, did you have to make any changes on the iOS app code? We are using MSAL already.
AGCP-ITGuy 0 Reputation points

2025-05-12T19:07:14.3366667+00:00
@Attila Balogh Any chance you can provide the exact configuration policy you deployed to resolve this issue? I know this was a while back but ran into this issue and when I apply to Safari, it still doesn't seem to work right.

Answer 2

jdlavallee 11

The problem lies in the fact that many apps, specially on iOS, relies on embeded browser (usually safari) to authenticate users. So if you have App Protection policy with the enforcing conditional access policy (Require Approved Apps and Require App Protection Policy), conditional access will force you to use edge. As soon as you open edge then you fall on a CSRF error because the token cannot be ported to another app.

The bottom line is that App Protection cannot work with Safari and apps that rely on this cannot go through App Protection policy (if enforced). The only way to get this to work is to litteraly exclude users from the conditional access policies that enforces App Protection (and open a big hole in your security posture that can and most likely will, be exploited).

AGCP-ITGuy 0 Reputation points

2025-05-12T19:23:49.3133333+00:00
@jdlavallee You are right and this made me completely have to reengineer my thought process on how to deploy Intune/CA policy for mobile. I had to double back and separate out my corporate devices (enrolled and compliant required), while I have BYOD unmanaged with app protection completely separate so we can allow these corporate managed apps (one with safari problem) to work on corporate owned enrolled phones. At first, I had app protection on everything and quickly realized app protection is really designed to protect Office 365 apps on unmanaged or managed phones, but reduces the scalability of app deployment. I just redid all my CA policies to accommodate the new design just for this one issue! My current design is to block all apps except Office 365 and Intune Enrollment for unmanaged devices (filtering include compliant = false). Then a grant for app protection for O365 apps for unmanaged device. that locks down that environment to at least require app protection. Then a block for all apps except O365, intune enrollment, and my custom apps "salesforce" being the one I have safari issues with currently, with a filter for managed devices only (filtering include compliant = true). THEN I have a grant for compliance required for all apps and exclude Office 365 (which is covered by the app protection requirement). I think this plugs everything with requiring at least app protection for o365 apps and compliance for everything else. If you are BYOD only, I am sorry for making you read all this but thought I would share for anyone else struggling like myself to find this sweet spot (and now a fix for the safari issue as well).
Dalton Reeves 136 Reputation points

2025-05-12T19:33:57.05+00:00

Do either of you utilize Pass-through Auth with AAD? We recently switched over from hash sync and one of the reason was that this sort of thing "shouldn't" happen with pass-through auth, however I haven't readily tried it.
jdlavallee 11 Reputation points

2025-05-13T13:49:42.8533333+00:00

@Dalton Reeves I don't believe Pass-Through Auth has anything to do with App Protection policies here, as it is a matter of approved apps not authentication.

Answer 3

Crystal-MSFT 53,981 Microsoft External Staff

@Dalton Reeves, Thanks for posting in Q&A. From your description, it seems condition access policy block our access.

To troubleshoot the issue, please collect the following information to clarify:

Go to the sign in log and look into the "Conditional Access" tab. find the failed policy and click it to see the detailed failed reason. Please get a screen shot of the conditional access policy details of the failed policy.

User's image

Go to Azure AD to see if the device is also compliant.
Go to the affected device->Device compliance, click each compliance policy and check if there's any error for any compliance settings.

Please check the above information and if there's any update, feel free to let us know.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Dalton Reeves 136 Reputation points

2023-01-17T14:50:16.67+00:00

The device is compliant per Intune, plus we've resync'd it repeatedly over the last couple days.

As a work around I've removed the Compliant Device requirement for iOS and it works without issue. My assumption is the iOS app is using an embedded Safari browser that for some reason can't play with Conditional Access, however that is a HUGE issue because out LastPass is federated/SSO. Works fine for BYOD Android I might add IF its through the Work Profile.
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2023-01-18T05:37:17.3666667+00:00

@Dalton Reeves, Thanks for the response.

Based as I know, for iOS, Safari is supported for device-based Conditional Access, but it can not satisfy the Require approved client app or Require app protection policy conditions. Here is a link with more details:

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions#supported-browsers

I notice you have tried to remove the compliant requirement to temporary let it work. If you still have interest to work on the issue, I will still provide suggestion.

As I know the conditional access evaluate the compliance status from AAD, I wonder if there's some issue during the state sync from Intune to AAD. I notice the state under Intune is compliant. I suggest to go to AAD portal to see if the device also shows compliant there.
Anonymous

2023-06-22T05:48:48.16+00:00

im aslo facing same issue can you provide permanent solution for the issue
Anonymous

2023-06-22T05:52:08.8333333+00:00

I am also facing similar issue can you provide suggestion to fix this issue on permanent

Answer 4

Rahul Jindal [MVP] 10,911 MVP

Does the sign-in work with Edge?

Dalton Reeves 136 Reputation points

2023-01-17T14:55:04.3733333+00:00

There's no way to dictate the browser because its an iOS app. So it's defaulting to Safari even if Edge is selected. Ive seen a similar issue on a desktop app using embedded Chrome. What doesn't make sense here is the error states its Safari while the error is saying USE Safari..

The app is LastPass.
Rahul Jindal [MVP] 10,911 Reputation points MVP

2023-01-17T18:18:59.76+00:00

You can try setting Edge as the default browser in settings for testing. Another option is to exclude lastpass from cloud apps in the CA policy.
Dalton Reeves 136 Reputation points

2023-01-17T18:23:42.53+00:00

yeah thats been done as I stated above, unfortunately it has no effect.

Answer 5

Carlos Giraldo 0

This was happening with me, if you take a look a the sign-in logs, some of these third party apps use other internet browsers for device authentication ie Firefox, Chrome, etc, Intune mobile device compliance policies can only authenticate using managed browsers such as Safari and Edge.

Michael Wuerz 0 Reputation points

2025-05-01T15:26:48.55+00:00

Im having the same issue with Safari and the PRT token. This policy works on the other iphones, just not on this iphone 18.

I am stumped. please help

Share via

Conditional Access stating a Compliant iOS Device is Not-Compliant and blocking sign-in for iOS LastPass App.

5 answers

Your answer