question

LeoJohnson-5897 avatar image
0 Votes"
LeoJohnson-5897 asked Crystal-MSFT commented

Conditional Access with Azure AD Registered devices not working

Hi y'all,

Struggling with Conditional Access in combination with Azure AD Registered devices.

I want to allow browser access to Office 365 from Azure AD Registered devices.

But it keeps blocking access to office.com.

We are trying to setup Windows Information Protection without Enrollment, that's the reason our devices will be Azure AD Registered devices.

If i read the documentation correctly, Conditional Access should function with Azure AD Registered devices.

What am I missing?
82423-1.png82424-2.png


azure-ad-conditional-accessmem-intune-conditional-access
1.png (166.0 KiB)
2.png (139.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered

Hello,

Based on your screenshot it looks like the users did not satisfy the Grant Controls.

The grant control can trigger enforcement of one or more controls.

Require multi-factor authentication (Azure AD Multi-Factor Authentication)
Require device to be marked as compliant (Intune)
Require Hybrid Azure AD joined device
Require approved client app
Require app protection policy
Require password change
Require terms of use

Administrators can choose to require one of the previous controls or all selected controls using the following options. The default for multiple controls is to require all.

Require all the selected controls (control and control)
Require one of the selected controls (control or control)


If any of the above are missing and they are required, then the access will be blocked.

I would check your conditional access policy. You can choose to require only one of the selected controls if needed.

82488-grantaccess.jpg



grantaccess.jpg (66.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AaronOakwell-9153 avatar image
0 Votes"
AaronOakwell-9153 answered

Hi @LeoJohnson-5897

From the screenshots you’ve sent it looks to be that your conditional access policy requires a compliant device and thus enrolled into Intune.

However as I understand it you are using WIP without enrolment you would likely have to remove that requirement from the grant controls section.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered Crystal-MSFT commented

@LeoJohnson-5897 From the sign in log, it shows the "Grant control" is not satisficed, It seems we configure "Require device to be marked as Compliant". But the device is not compliant. Could you check if the Azure AD registered device is enrolled into Intune and if it shows as Compliant.

if this is a non compliant device in Intune, we can check the device compliance to see which setting is not met and fix it. But if the device is not enrolled into Intune, we can check if all the devices the user used are not enrolled into Intune. if yes, we can exclude the user from this conditional access policy. Or consider to enroll these devices into Intune and make them as compliant.

Hope the above information can help.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@LeoJohnson-589, Hope things are going well. I am writing to see if the issue is resolved. If there's any update, feel free to let us know.

0 Votes 0 ·

Sorry, I got terrible ill!

The device has the compliancy state: N/A.

I'm starting to think it is not possible to pass the compliant requirement with a Azure AD registered device.

The Microsoft documentation is a little bit confusing. Hope you would know the answer.



0 Votes 0 ·

@LeoJohnson-5897, Thanks for the response. Sorry to hear that. Take care and wish you get better soon.

From your description, I know the compliance state shows N/A. For your question, if the Azure AD registered device is also enrolled into Intune. Based as I know, it can also apply compliance policy. Could you go to Microsoft Endpoint manager admin center -< Devices-> All devices, find the device, click it and check the Device compliance to see what are the state of it.

0 Votes 0 ·