Conditional access policy not working even though device is compliant

Question

Conditional access policy not working even though device is compliant

Shelby Simpson 20

Conditional access in not working with a user even though their laptop is compliant in Intune.

Shelby Simpson 20 Reputation points

2024-12-09T21:37:49.09+00:00

Additionally, this has been the case with the same user on a different laptop. Both laptops had the same OS. So, this tells me it has to do with the user themselves. The laptops uses the Company Portal to sync and no issues. Does anybody know why this user is having issues?

3 answers

Your answer

Shelby Simpson 20 Reputation points

2024-12-09T21:37:49.09+00:00

Additionally, this has been the case with the same user on a different laptop. Both laptops had the same OS. So, this tells me it has to do with the user themselves. The laptops uses the Company Portal to sync and no issues. Does anybody know why this user is having issues?

Answer 1

Abiola Akinbade 29,405 Volunteer Moderator

Hello Shelby Simpson,

Thanks for your question

Since the issue follows the user and not the device, it is likely tied to the user’s identity or account configuration

Try to go to entra on the portal and

Go to Protection > Conditional Access > Policies then check heck the Users and groups assignment to ensure the user is included.
Check the device’s compliance status to ensure it reflects correctly.

See: https://learn.microsoft.com/en-us/mem/intune/protect/conditional-access?source=recommendations

You can mark it 'Accept Answer' and 'Upvote' if this helped you

Regards,

Abiola

Shelby Simpson 20 Reputation points

2024-12-13T16:31:47.53+00:00

Thanks, but I have confirmed that the user is on the conditional access policy.

Answer 2

Bandela Siri Chandana 3,055 Microsoft External Staff Moderator

Hi @Shelby Simpson
Thank you for posting your query on Microsoft Q&A.
I understand that Conditional access policy in not working with user even though your laptop is compliant in Intune.

The conditional access policy will only validate the device as Intune if the device ID is successfully sent from the browser to Azure. If the Device ID does not pass through the policy, Azure will be unable to recognize the device state without it. Make sure you're using compatible browsers for device authentication, so the device can be detected and validated against the policy. When using a browser, there are various settings that must be made on the browser in order to transfer the device information. For example, if you are using an Edge browser, the user profile in the browser must be synced and the synced status must be enabled in order to send the device ID.

User's image Please check below screenshot for browser requirement

User's image Follow the document: Conditions in Conditional Access policy - Microsoft Entra ID | Microsoft Learn

If still problem persists. Check whether all the conditions are met in the following document: Troubleshoot Intune Conditional Access - Intune | Microsoft Learn

Hope this helps. Do let us know if you have any further queries.

------------

If this answers your query, do click `Accept Answer` and `Yes`.

Thanks,

B. Siri Chandana.

Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2024-12-12T11:58:53.4866667+00:00

Hi @Shelby Simpson
Just checking in to see if above answer was helpful. If you have any further updates on this issue, please feel free to post back.
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2024-12-13T09:42:17.25+00:00

Hi @Shelby Simpson
Just checking in to see if above answer was helpful. If you have any further updates on this issue, please feel free to post back.
Shelby Simpson 20 Reputation points

2024-12-13T16:43:56.9+00:00

The user is using Edge with a synced profile and status is showing as "Sync is on". I don't think it is the browser because if you look in Intune you will see that under Entra registered it says "Unknown". In the image below that is from the Intune device dashboard, you will see the user that I am referring too. The bottom 2 is the user with the issue(old laptop and new) and the top 2 are 2 users with no issues.

When you look at the device in Entra you see this -

The device seems to be registered with Intune and Entra but not associated with the user even though the user is listed as the primary user in Intune. Do you know what might be going on? This user went through the normal onboarding process.
Shelby Simpson 20 Reputation points

2024-12-13T16:55:41.66+00:00

Hello B. Siri Chandana, I checked my profile. I am using a profile in Edge, it is synced and status says "Sync is on". I don't think it is the browser as in Entra it isn't showing an "Owner"(see second image) and then in Intune, while the user is showing as primary user, the device does not show up when you look at that users devices. You must go to "All devices" to find it and it shows that its registration is unknown. See 1st image below. The top 2 are normal users and the bottom two are the user with issues, their old and new laptop -

Here is what we are getting in Entra under this device -

The onboarding process was the same as our other users. Do you know what might be going on here or how to troubleshoot what the issue is here?
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2024-12-16T17:26:47.5066667+00:00

Hi @Shelby Simpson
Verify the registration of the device: Verify that Azure Active Directory (Azure AD) has the device correctly registered. Regarding the device, you indicated that it appears as "unknown" under "All devices," which implies that the device may not have fully registered with Azure AD. To confirm the registration, be sure to:

1.The device's Azure AD Join status.

2.To verify if it corresponds with the user's profile, use the Device ID.

3.Ownership of Devices in Entra : The absence of an owner on the device (you said that the "Owner" is not listed) may be a sign of a synchronization delay or an onboarding process error. When a gadget is correctly registered, it should normally identify the user as the owner.

Check your Intune enrollment status: Examine the Intune Device Enrollment logs and statuses since the device is not visible in the user's devices. In particular, make sure:

If the device has Automatic Enrollment turned on. Azure AD Join should be used to set this up. if, following registration, the device was successfully enrolled in Intune. Intune Sync Status: Occasionally, devices that are registered in Azure AD may not sync with Intune correctly. Make sure the device has been successfully registered and enrolled, and that it appears under All Devices, in order to fix this.

In Intune, ensure that there are no compliance policies that are preventing the device from appearing in the list for the user. This might happen if there are misconfigured policies or if the device fails compliance checks.

Ensure that the device management profile is properly installed on the device. This might be causing issues with Intune not recognizing it properly.

Although you mentioned that the device is synced, sometimes a manual sync is needed to push any changes. You can trigger a manual sync from both Azure AD and Intune and then check again if the device is properly displayed under the user’s profile and Clear Cache in Intune and Azure AD

If none of the above steps resolve the issue, try un-enrolling and re-enrolling the device in Intune and Azure AD. Sometimes this can resolve issues caused by incomplete registration or sync processes.

Hope this helps. Do let us know if you have any further queries.

Thanks,

B. Siri Chandana.
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2024-12-18T13:32:30.88+00:00

Hi @Shelby Simpson
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Shelby Simpson 20 Reputation points

2024-12-18T15:47:44.33+00:00

I know it isn't enrolled correctly. I just don't know why it is specific to this user. I have compared compliance and configuration policies, and the user has the same ones as the other users and this user does not have any additional policies. I will try re-enroll again.
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2024-12-20T10:51:25.0966667+00:00

Hi @Shelby Simpson
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

Answer 3

Hi @Shelby Simpson

Recently we have completed same project, and i saw your question. I can help you on this but i need more info.

Can you share me login error. (click on more detail and take complete screenshot). It will tell us if the issue is with browser & Device ID passthrough.
This case is for corporate device ? Have you tried from Corporate and Personal Network. Most Corporates used proxy or CASB solutions which block Device ID. Do you see any change in URL if you visit portal.azure.com in both network.
If it satisfy the condition of device compliant , What are we allowing ? Are you verifying it correctly ?

Regards

Share via

Conditional access policy not working even though device is compliant

3 answers

Your answer