Graph API token generation failed. Device is not in required device state: compliant.

Patel, Binod 0 Reputation points
2024-11-24T12:08:16.7166667+00:00
{
    "error": "interaction_required",
    "error_description": "AADSTS53000: Device is not in required device state: compliant. Conditional Access policy requires a compliant device, and the device is not compliant. The user must enroll their device with an approved MDM provider like Intune. Trace ID: cc28e207-debf-4c5e-9331-1031b8e90f00 Correlation ID: 1bfbd87c-3bb5-48a7-8247-f4853c50e7a7 Timestamp: 2024-11-24 11:59:20Z",
    "error_codes": [
        53000
    ],
    "timestamp": "2024-11-24 11:59:20Z",
    "trace_id": "cc28e207-debf-4c5e-9331-1031b8e90f00",
    "correlation_id": "1bfbd87c-3bb5-48a7-8247-f4853c50e7a7",
    "error_uri": "https://login.microsoftonline.com/error?code=53000",
    "suberror": "additional_action",
    "claims": "{\"access_token\":{\"capolids\":{\"essential\":true,\"values\":[\"98e946e5-5755-4bbf-84c6-cb9c62ab2cf0\",\"505991bc-f3e9-4664-9b57-946f78d8eb5b\",\"93f5dc4f-362f-4c0f-b55d-683242b9b251\",\"b020b9e8-2c62-4a78-a663-2c2dcd19b1e4\",\"59d88621-3b48-41e4-bce1-4cafe586dbfb\",\"f39dbe59-08a0-4a80-9a91-d0ba242aa4ba\"]}}}"
}
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,478 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,413 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 29,941 Reputation points Microsoft Employee
    2024-11-25T08:47:14.3+00:00

    Hi @Patel, Binod ,

    Thanks for reaching out.

    The error message indicates that a Conditional Access policy in Azure Active Directory (AAD) requires devices accessing a specific resource to be compliant with your organization's Mobile Device Management (MDM) policies (e.g., Microsoft Intune). The device you're using does not meet these requirements, so access is blocked.

    In this scenario you have to enroll your device and check compliance settings or ask the CA admin to relax the policy for you.

    Reference - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-grant#require-device-to-be-marked-as-compliant

    Thanks,

    Shweta

    Please "Accept the answer" if above answer helped you.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.