Share via

conditional access policy failing on android

Mark Cook 0 Reputation points
2026-02-10T17:18:07.5333333+00:00

I'm having issues with conditional access for android devices

  • intune reports that the the device is complaint
  • Azure also reports that the device is compliant
  • The company portal app on the device reports that it is compliant

But logging in fails. When I look at the sign-in logs it reports that the sign-in failed the conditional access policy because the device is non-compliant.

This same policy works fine on Windows

Any ideas?

Cheers

Mark

Microsoft Security | Microsoft Entra | Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VEMULA SRISAI 9,345 Reputation points Microsoft External Staff Moderator
    2026-02-10T18:23:54.75+00:00

    Hello Mark Cook,

    This scenario usually happens when the Android device shows as compliant in Intune, but Entra ID evaluates a different or stale device record during Conditional Access.

    A few checks you can perform:

    1. Verify the device registration state in Entra ID Go to Entra ID → Devices → All devices and check the Android device’s Join Type. It must appear as Registered and associated with the user. If it shows as Unknown or not linked to the user, CA will treat it as non‑compliant even if Intune shows compliance.
    2. Confirm which device object CA evaluated In Sign‑in logs → Conditional Access → Report-only/Failure → Device info, check the “evaluated device ID”. If this doesn’t match the actual enrolled device, you may have a stale duplicate device.
    3. Ensure the user is signing in with the work‑profile apps If you’re using Android Enterprise, compliance is applied only to the work profile. Signing in from the personal profile apps (non-briefcase icon) will fail CA evaluation.
    4. Sync the compliance state Open Company Portal → Settings → Sync to force Intune to push a fresh compliance status to Entra.
    5. Review CA grant controls Make sure the policy is using “Require device to be marked as compliant” and not Hybrid Azure AD Join, which only applies to Windows.

  2. Q&A Assist
    2026-02-10T17:18:19.1+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    It sounds like you are experiencing a common issue where the device appears compliant in Intune and Azure, but the sign-in fails due to a conditional access policy indicating non-compliance. Here are some troubleshooting steps you can consider:

    1. Check for Default PIN: Some Android devices may be marked as non-compliant if they are encrypted with a default PIN. Ensure that the user has set a new, non-default PIN.
    2. Quarantine Email: If the device is a non-Knox Android device, ensure that the user clicks the Get Started Now link in the quarantine email they receive, as this is necessary for compliance evaluation.
    3. Company Portal App: Make sure the Company Portal app is up to date. Sometimes, an outdated app can cause compliance reporting issues.
    4. Compliance Check Delay: After enrollment or updates, it may take some time for compliance information to be registered. Allow a few minutes and try logging in again.
    5. Network Issues: Test the device on different networks (Wi-Fi, cellular) to rule out any connectivity issues that might affect compliance checks.
    6. Existing Email Profiles: For iOS/iPadOS devices, an existing email profile can block the deployment of an Intune email profile. Ensure that there are no conflicting email profiles on the device.

    If these steps do not resolve the issue, consider contacting Microsoft Support for further assistance.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.