Hi,
It will be a long post, so...
I have a problem with hybrid joined devices and Conditional Access (set to require hybrid joined device). Our users from time-to-time are unable to use apps because of this.
Infrastructure:
- local Active Directory with few DC's
- DC synced to Entra ID (both users and computers)
- Conditional Access policy set to "require hybrid joined devices"
Problem occurs for many users:(yes, propably some of them are positive-positive, they used private device, but still we've got many complaints about it).
What I discovered to this day:
- it can occurs in the middle of the day, without any changes (afaik) in object in AD
- users been talking it occurs when they change password (don't take it too seriously)
- in fact IT OCCURS because some of devices are DELETED from cloud
Example 1:
- PC deleted (question is why?) - look at date and time
- PC added - in the same cycle?
3. When it's added (after few minutes of pending) user can sign in... Example 2:
- PC deleted
- PC added (look at difference in time)
- PC logs - it's been deleted by SYNC account
And propably the most important here:
there was a change in this PC object "userCertificate" attribute.
There is a rule on Entra ID Connect that states this attribute must NOT BE EMPTY. So it looks like something deleted this attribute and then re-writed it? The fact is this PC was deleted without any user activity, so it looks like some hidden proces, rule or aliens did that.
I've got many more evidences but they are most likely the same, but not in every casy "userCertificate" was re-writed.
Look how many devices were deleted. Almost every were re-added again.
Sometimes there is a change in "userCertificate" attribute which is required for device to be synced.
Might there be a problem with SCP?
I am investigating this problem for so long and I am just tired of it...