This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 9%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENA%3C/text%3E%3C/svg%3E)
My organization is doing some pilot testing for Azure CA. It's going great for most policies, but one policy in particular has me confused. Here are the details of the policy:
Policy name: (Test) Require MFA and compliant device for Azure management
State: On
User or workload identities: A group called CAPolicyPilotUsers, of which I am the only member.
Cloud apps or actions: Microsoft Azure Management
Conditions: (none)
Grant controls: Require both MFA and "Require device to be marked as compliant"
Session: (none)
The policy ensures that the pilot group's members are on compliant devices and that they can pass MFA challenges. MFA has been going well. However, the compliant device requirement has shown to be difficult.
!! Important to know going into this troubleshooting. I am testing on two devices. One device is joined to the matching on-prem work domain (I believe a policy auto-enrolls the device into MDM). The other device (the one with the issue) is a home PC that has been registered in MDM (in this case, InTune) via Company Portal. The Company Portal app's setup is complete and the status is healthy.
When signing in on the home PC, the following error message is provided:
This was snipped from Edge. The Windows 10 personal PC is completely up to date. The Edge profile matches the account being used to sign into the Microsoft Company Portal (in-scope for our CA's app target - Azure portal was also tested, and got the same issue).
Error 53000 indicates that the device isn't compliant. I beg to differ! Here's the personal PC, NATHAN-DESKTOP, when inspected in Azure:
Here's the same machine's compliance policy info:
Heck, even Company Portal on that machine shows the device is compliant.
Yet, when running in the Azure troubleshooter, the diagnostic info about the sign-in reports that the access control called "Require device to be marked as complaint" was submitted by the client as "Non-Compliant Non-Managed" which contradicts what I'm seeing when inspecting the device.
So, exactly how "compliant" does my compliant device need to be here? Azure says it's simultaneously compliant and non-compliant, depending where I'm looking.
Thank you in advance for any help or guidance :)
~Nathan
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Is he using Edge every time he attempts the sign-in? There is a known issue with the Chrome browser that can cause this error to occur. If there is no device information sent in the sign-in logs, this might be the problem. Device information is sent when there is a PRT and the user is logged onto the browser. If the user is using Chrome, the Windows 10 accounts extension is needed.
If this is the case, you can test by asking the user to logon to the Edge browser or install the Windows 10 accounts extension to see if the issue is resolved.
If they are signing in using Edge, they cannot use an incognito window because it will not pass the device state.
Is Microsoft Authenticator App is installed on the device? As Microsoft Authenticator is an broker app for iOS and would be needed to pass MFA and Device claims to Azure AD.
Sign-ins from legacy authentication clients also do not pass device state information to Azure AD.
The error can also occur if there are multiple accounts on the same device. For example, there can be a primary accountthat is compliant but a “system account” listed that is not compliant, and you can check this in the Intune portal. https://www.reddit.com/r/Intune/comments/dwc8h0/intune_compliant_device_still_flagged_by/
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Nathan Abshire , As Marilee mentioned, it seems multi customers have this issue because of the change And now it is rolled back. Please check if our issue is also fixed. If there's any update, feel free to post back.
Have a nice day!
Is the device really compliant? What do settings in built-in say? Also, why is your custom compliance policy reporting as not applicable?
@Nathan Abshire Thanks for posting in our Q&A.
To clarify this issue, we appreciate your help to collect some information:
If there is anything update, feel free to let us know.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Lu Dai-MSFT @Rahul Jindal [MVP]
As requested, here's the Built-in Device Compliance Policy. Green across the board.
Does the device show compliant in Azure AD portal? Interestingly enough, the result is "N/A" - take a look:
I've also reviewed the sign-in logs and unfortunately the only useful data point is the error code 53000. No other info that would indicate the cause of any non-compliance is available here or in the Azure troubleshooter.
In regards to that custom policy coming up as "not applicable" - I'm honestly not sure, as I didn't write this policy. It was only applied via dynamic group membership which is referenced by the policy. The policy has no settings when inspected.
Another new development - when I went back this morning and checked on the device status in Company Portal, the app says that it is "Checking access to company resources" but has been stuck here for hours without any sign of resolution. Take a look:
@Nathan Abshire Thanks for your update.
For stucking on "Checking access to company resources", it is suggested to try to sync the device in settings > Accounts > Access work or school > Info > sync. If the last check-in time changes, it means that the device is successfully synchronized.
For windows 10 devices, conditional access poliy's supported browsers are Microsoft Edge, Chrome and Firefox 91+. Edge 85+ requires the user to be signed in to the browser to properly pass device identity. So, it is suggested to use the user included in the conditional access poliy's assignment groups logining to the Edge. And check if there is any changes about the current situation..
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions#supported-browsers
There was an incident reported related to this error since multiple customers were receiving. Yesterday the change that caused the issue was rolled back. Let me know if you are still having this problem.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 74%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Hello Marilee,
We also have this problem and its still not resolved.
Do you know if this problem is related to conditional access of Intune and what is the solution if this is still not fixed ?
@Crystal-MSFT @Marilee Turscak-MSFT
Sorry for the delay in getting back! Unfortunately the issue persists.
Thanks to the comments in this thread, I believe I'm a little closer to getting this one figured out. On the device in question, in the Settings app and under Access work or School, there is an entry called "Connected to <org> MDM" and inside the Info pane for this entry, there's this notable section:
Now, I've clicked the Sync button abound 3 times now, and the same thing happens each time. The sync appears to take an incredibly long amount of time, sometimes in the magnitude of days. I can see the status of the sync in the Company Portal - "Checking access to company resources" - which always resolves to the same Success message:
However, those magical company resources are still not accessible. The same error message as before appears regardless of browser. And to reply to some of the comments here, YES, Edge is being used (and not InPrivate browsing - the Edge profile is set to the account that the CAP is targeting)
@Nathan Abshire , For this sync error, I find a similar case and it seems the issue may caused by the winhttp proxy setting did not been setup for the device before, we can configure it using the following command to see if it is working:
netsh winhttp import proxy source=ie