This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 86%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Hi, Community. I have a Problem with Conditional Access.
The organization has devices that Azure Ad Joined and complianed. However, users use not Azure AD account to enter the system, but use local accounts. There are also terminal servers that Hybrid Joined in Azure AD. Users use domain accoutns for logon.
The problem is that I need to create Compliance Policy. Which allows not require second factor for such devices (AD joined and hybrid), but requires second factor or even block access from devices that are not complianed or not Azure Joined.
But it seems that the device will not be recognized as compliance or Azure Joined if the user logon with local account and opens OneDrive or SharePoint using Azure account. Because in this case, the second factor will be required. But as soon as I enter the system using Azure AD account. The second factor is not required and I can open application without a password and 2FA (only during logon ask setup PIN and require 2FA, but it can be skiped).
I tried to create a block policy. In order to understand how politics is recognizes the type of device. This policy is triggered for all devices if I use a local account and open office.com using Azure account.
Access to applications is rejected. But if I enter the device with Azure Ad account, I can open the applications.
1 The rule explicitly blocks access for the user. From any location, from any device. It works.
2 In this rule, I add an exception location, namely the IP address of the machine from which I open office.com.
It works.
3 In this rule, I remove the location condition. And I exlude device AD joined from this rule. This does not work. While the device is AD Joined.
4 I am logon on this device with Azure account (for which the rule applies) and can open office.com. Works only if I logon using AD account.
In general, the problem is that the user must be included in the system with Azure Ad Account, so that the rule would work?
Thank you.
@Denis Pasternak Thanks for posting in our Q&A.
For this issue, it is needed to do log analysis to confirm the cause. With Q&A limitation, it is not a good channel for such log analysis issue. Given this situation, it is suggested to create an online support ticket to get more help. Here is the support link:
https://learn.microsoft.com/en-us/mem/get-support
Thanks for your understanding and hope everything goes well with you.
Everything is fine. Indeed, the user must be logged in, otherwise how can we identify that this is the same user.
Thank you.
Everything is fine. Indeed, the user must be logged in, otherwise how can we identify that this is the same user.
Unexpectedly, Teams and OneDrive are working. Bu
t if I try to open office in a browser, I get access denied.
screen from test PC
I thought that the problem is in the license or because the device is enroled on behalf of another account. But I did the same test where I have free Intune licenses and added a new device that was added from the test account.