Entra Hybrid Join Devices failing Report Only CA Policy

Son 20 Reputation points
2024-02-06T14:10:51.9066667+00:00

We are in the testing phase of rolling out Entra Hybrid Join devices so we can require compliant devices in CA policies. I have a few machines hybrid joined now, disabled the registered entry for the device in Entra after confirming the hybrid joined entry has appeared. I created the Report Only CA policy and targeted the test users, I also added Grant controls that the device must either be Hybrid Joined or Compliant (Require one of the selected controls is enabled). We will use this policy for both Intune managed devices and hybrid devices. However, the test user is failing the CA policy saying the device is not compliant. I check the sign in logs and the Join Type (which I assume the CA policy is matching against) is blank. Should this not be showing Hybrid Joined or something similar? The device is hybrid joined successfully, checked dsregcmd /status. Is this a known issue when you select 'Require one of the selected controls is enabled' and use Report Only? Looking to turn this on for test users tomorrow. Thanks!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,715 questions
0 comments No comments
{count} votes

Accepted answer
  1. Harpreet Singh Matharoo 7,376 Reputation points Microsoft Employee
    2024-02-07T07:28:26.5433333+00:00

    Hello @Son ,

    Thank you for reaching out to Microsoft QnA platform. Since this is a test environment I would request you to please take following in consideration:

    • If you are testing on HAADJ device using a test user, make sure of following considerations:
      • If using, Edge it requires your test user to be signed in to the browser to properly pass device identity. Otherwise, it behaves like Chrome without the account's extension. This sign-in might not occur automatically in a hybrid device join scenario.
      • If using Chrome 111+ is supported for device-based Conditional Access, but "CloudApAuthEnabled" needs to be enabled.
    • Do not use InPrivate/Incognito session or disable cookies as the device check fails if the browser is running in private mode or if cookies are disabled and device would be reflected as unmanaged device on Microsoft Entra ID Sign-In logs.

    User's image

    If you make sure above pre-checks are met your device identity should be passed to Entra ID during Auth and Conditional Access should evaluate device as HAADJ.

    I hope this answer helps to resolve your issue. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

0 additional answers

Sort by: Most helpful