Guest users are not able to access the tenant on an unmanaged MacOS device

Glenn Van Rymenant 6 Reputation points
2022-01-27T16:49:03.03+00:00

I received an escalation from a customer that guest users are not able to access their tenant from an unmanaged MacOS device.

This is what they're seeing on the sign-ins:

169037-image.png

I'm guessing MS made a change related to crossTenantAccessPolicies which is now blocking uncompliant MacOS devices...

Unfortunately, I don't have access to an unmanaged MacOS device to test but I'm guessing that opening up the inbound trust on the default cross tenant access policy might fix it:

PATCH https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy/default

{
"inboundTrust": {
"isMfaAccepted": true,
"isCompliantDeviceAccepted": true,
"isHybridAzureADJoinedDeviceAccepted": true
}
}

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,672 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 34,546 Reputation points Microsoft Employee
    2022-01-27T20:19:07.03+00:00

    Hi @Glenn Van Rymenant .

    I understand the users are unable to access the tenant because they are receiving the error, "AcceptCompliantDevice setting isn't configured."

    This can happen if you have a conditional access policy that requires device ID (approved client app . So, to use this feature, the user needs to have the ID registered in your directory.

    The Conditional Access grant controls such as "Require approved client apps" and "Require app protection policies" need the device to be registered in the tenant. These controls can only be applied to iOS and Android devices. However, neither of these controls can be applied to B2B guest users if the user’s device is already being managed by another organization. A mobile device cannot be registered in more than one tenant at a time. If the mobile device is managed by another organization, the user will be blocked.

    If this is the case, you can may need to remove the user from the Conditional Access policy.

    Let me know if this helps at all.

    Additional reading: Conditional Access Mobile Application Management Policies

    Thanks,

    Marilee


  2. Glenn Van Rymenant 6 Reputation points
    2022-01-28T08:54:41.987+00:00

    I'm not convinced that it was related to CA as the the sign-in simply showed "non applicable" for CA and the only policies that are applied to guest users are a require MFA policy and a sign-in frequency policy (i.e.: no compliance or approved app).

    The customer just confirmed that these guest users are now able to sign back in after no changes whatsoever so they must've fixed something on the backend...


  3. Marilee Turscak-MSFT 34,546 Reputation points Microsoft Employee
    2022-01-28T16:38:28.37+00:00

    There was an incident reported that was related to this issue and like you said, yesterday they rolled back the change that would have caused the problem. Thanks for reporting this and let me know if there are any further issues.

    0 comments No comments