5,569 questions
Conditional access policies
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 63%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERB%3C/text%3E%3C/svg%3E)
Rob B
6
Reputation points
Hello all,
I've set up a conditional access policy to block access to all cloud apps from unauthorized devices. This is setup for BYOD users. I have an iphone which has o365 basic apps installed word, outlook etc... I'm logging in as a user that's using their own iphone (BYOD) with an AAD account. We are using MAM with an app protection policy. I downloaded company portal and logged in as the user, but i'm getting an error. "You cannot access this right now",
"Your sign-in was successful but does not meet the criteria to access this resource. For example, you might be signing in from a browser, app, or location that is restricted by your admin". Error code: 53003. Below are screen shots of our conditional access policy.
Target resources:
Conditions:
Grant: is set to block.
Any assistance on what i'm doing wrong would greatly, greatly be appreciated. Thank you in advance.
Microsoft Security | Intune | Other
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 35%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZM%3C/text%3E%3C/svg%3E)
ZhoumingDuan-MSFT 17,165 Reputation points Microsoft External Staff2023-12-05T01:29:44.7+00:00 @Rob B,Thanks for posting in Q&A.
From your description, I know that you got some problem with Conditional access policy.
For your issue, according to seeing the information you provided, I found that there are some rule syntax errors in the Exclude filtered devices from policy Under Filter for devices, based on my research, the operating system should be like Windows IOS or Android instead of iPhone, AndroidEnterprise, AndroidForWork.
Here is a link about Supported operators and device properties for filters you can refer.
You can correct the rule syntax and check whether it can work fine.
Please try above information, if there is any update, feel free to let me know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
-
Rob B 6 Reputation points
2023-12-05T19:48:02.6733333+00:00 Hi ZhoumingDuan,
I've changed the rule syntax, as you suggested but i'm getting the same error: New rule syntax for "filter for devices".
This is the error i'm getting from the iphone. I've also truned off all other conditional access policies
-
ZhoumingDuan-MSFT 17,165 Reputation points Microsoft External Staff
2023-12-06T05:22:15.02+00:00 @Rob B,Thanks for your update.
According to seeing the information you provided, I find that you have wrote ios under Rule syntax, but based on the official document, it should be iOS, it is recommended that the rule syntax be consistent with the official documentation.
Please correct it and check whether the issue can be fixed.
If the issue is still existed, you can refer the link below to check is there are some related errors in sign-in logs.
https://learn.microsoft.com/en-us/entra/identity/conditional-access/troubleshoot-conditional-access
Please try above information, if there is any update, feel free to let me know.
-
ZhoumingDuan-MSFT 17,165 Reputation points Microsoft External Staff
2023-12-08T05:56:52.51+00:00 @Rob B,Hope things going well.
May I know the status from your side? If there is any update, feel free to let me know.
-
ZhoumingDuan-MSFT 17,165 Reputation points Microsoft External Staff
2023-12-27T07:33:47.3266667+00:00 @Rob B,Hope everything is fine.
Please tell me if the issue has been solved successfully. Could you let me know the latest status from your side?
Sign in to comment
Sign in to answer