Guest device showing up as managed, compliant and hybrid joined

Sebastien Ng 0 Reputation points
2023-12-04T05:39:08.7466667+00:00

Hi,

Has anyone seen this behavior before?

I added a guest user from a vendor's company.

The guest user is using a device issued by his company.

I don't have any B2B setup with them, so I don't trust their devices or MFA.

However, from the sign-in logs, the device is showing up as Managed, Compliant and Hybrid joined.

This should not happen as it breaks all my conditional access policies that are excluding managed, or hybrid joined devices. Am I missing something?

User's image

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,453 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,531 Reputation points Microsoft Employee
    2023-12-04T20:08:28.55+00:00

    @Sebastien Ng

    Thank you for your post and I apologize for the delayed response!

    I understand that you invited a Guest user from a vendor company to your MS Entra ID tenant, and when the user signs-in they're using a device issued by their company. When you mention not having any B2B configured with this vendor tenant - so you don't trust their devices or MFA; I'm assuming you're referring to cross-tenant access settings, if so the user shouldn't have been able to login even with their device showing as Hybrid Azure AD joined.

    To hopefully help point you in the right direction, since you haven't configured any B2B settings with the vendor tenant:

    Note: Default settings apply to all external Microsoft Entra tenants not listed on the organizational settings tab. These default settings can be modified but not deleted.


    If your default inbound trust settings were changed to allow these claims this could be why the vendor was able to login with their Hybrid Azure AD joined device.

    1. Sign in to the Microsoft Entra admin center using a Global administrator or Security administrator account.
    2. Select External Identities > Cross-tenant access settings.
    3. Under Organizational settings select the link in the Inbound access column.
    4. Select the Trust settings tab.
    5. Select one or more of the following options: Trust multi-factor authentication from Microsoft Entra tenants Trust compliant devices Trust Microsoft Entra hybrid joined devices

    User's image

    • Trust multi-factor authentication from Microsoft Entra tenants: Select this checkbox to allow your Conditional Access policies to trust MFA claims from external organizations. During authentication, Microsoft Entra ID will check a user's credentials for a claim that the user has completed MFA. If not, an MFA challenge will be initiated in the user's home tenant.
    • Trust compliant devices: Allows your Conditional Access policies to trust compliant device claims from an external organization when their users access your resources.
    • Trust Microsoft Entra hybrid joined devices: Allows your Conditional Access policies to trust Microsoft Entra hybrid joined device claims from an external organization when their users access your resources.

    If your settings are properly configured and you're still having issues, please let me know.


    Additional Links:

    I hope this helps!

    Thank you for your time and patience throughout this issue.


    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.