25,080 questions
Enterprise app not passing device ID
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 57.00000000000001%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Thach
0
Reputation points
Enterprise App not passing Device ID/state
We have a SAML app that called Microsoft Graph, Power BI service resource, etc. Let's call it App A. Everything is working fine, as expected.
But we want to restrict access to Office365 app from non-compliant device. So we created a Conditional access policy to do so. Again, everything is working as expected. Non-compliant devices are blocked, and our company computers still have access to Office365.
However, when using the same compliant device to sign in to App A as mentioned above, and accessing to the feature that called Power BI servicr, we were asked to use compliant device (error code 53000). When checking the sign-in logs for the app A, device ID is blank and Device compliant state N/A. I believe that this is why we are blocked by CAP. The App A did not pass the device id to Azure AD, therefore Azure misunderstand us that we are signing in with unregistered device, hence the block. Tried to add API permission to read device info from Intune in App Registratiom, issues still persists.
Any thoughts to make the device ID and device state to be recognized from the App A sign-in.
P/s: device is marked as compliant in both Intune and Azure portal, so it not device error.
Thank you so much for any helps.
Microsoft Security Microsoft Entra Microsoft Entra ID
Microsoft Security Intune Other
5,569 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2025-01-16T00:59:59.6266667+00:00 @Thach Thanks for posting in our Q&A.
Honestly, I haven't met this issue. With Q&A limitation resource, there is no helpful information I can share with you. Given this situation, it is suggested to open a support request to Entra ID. Here is the support link:
https://learn.microsoft.com/en-us/entra/fundamentals/how-to-get-support
Thanks for your understanding.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
-
Anonymous
2025-01-17T17:07:53.7933333+00:00 Hello @Thach,
I understand that you are encountering an issue where an enterprise SAML application (App A) is not passing device information (such as Device ID and compliance state) during sign-in, resulting in Azure AD's Conditional Access Policy blocking access, even though the device is compliant. Despite having granted the necessary API permissions to read device information from Intune and Azure AD, the device information is not appearing in the sign-in logs, which is causing the access blockage.
To further investigate this issue, could you please provide a screenshot of the sign-in logs showing error code 53000, along with the device details (Device ID, Compliance State)? Additionally, please share the Conditional Access policy settings for App A so that we can analyze and identify any potential issues related to device information blocking access.
Thank you.
-
Anonymous
2025-01-20T11:51:10.22+00:00 Hello @Thach,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
-
Anonymous
2025-01-20T15:35:45.38+00:00 Hello @Thach,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.Thanks,
Chaithra
Sign in to comment
Sign in to answer