This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 49%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGV%3C/text%3E%3C/svg%3E)
I received an escalation from a customer that guest users are not able to access their tenant from an unmanaged MacOS device.
This is what they're seeing on the sign-ins:
I'm guessing MS made a change related to crossTenantAccessPolicies which is now blocking uncompliant MacOS devices...
Unfortunately, I don't have access to an unmanaged MacOS device to test but I'm guessing that opening up the inbound trust on the default cross tenant access policy might fix it:
PATCH https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy/default
{
"inboundTrust": {
"isMfaAccepted": true,
"isCompliantDeviceAccepted": true,
"isHybridAzureADJoinedDeviceAccepted": true
}
}
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi @Glenn Van Rymenant .
I understand the users are unable to access the tenant because they are receiving the error, "AcceptCompliantDevice setting isn't configured."
This can happen if you have a conditional access policy that requires device ID (approved client app . So, to use this feature, the user needs to have the ID registered in your directory.
The Conditional Access grant controls such as "Require approved client apps" and "Require app protection policies" need the device to be registered in the tenant. These controls can only be applied to iOS and Android devices. However, neither of these controls can be applied to B2B guest users if the user’s device is already being managed by another organization. A mobile device cannot be registered in more than one tenant at a time. If the mobile device is managed by another organization, the user will be blocked.
If this is the case, you can may need to remove the user from the Conditional Access policy.
Let me know if this helps at all.
Additional reading: Conditional Access Mobile Application Management Policies
Thanks,
Marilee
Update: I believe this is due to the CA policy, but several customers have reported this error over the last few days so I have also reached out to the Conditional Access team to confirm if anything has changed in the workflow.
I'm not convinced that it was related to CA as the the sign-in simply showed "non applicable" for CA and the only policies that are applied to guest users are a require MFA policy and a sign-in frequency policy (i.e.: no compliance or approved app).
The customer just confirmed that these guest users are now able to sign back in after no changes whatsoever so they must've fixed something on the backend...
Thank you for confirming and following up. I agree with you and have seen several customers report this over the past few days. The product team recommended disabling per user MFA and excluding macOS if there is any conditional access policy that might require the device to be compliant in reportOnly mode. They are still investigating the cause of this but it is good to hear that at least for your customer it is resolved.
There was an incident reported that was related to this issue and like you said, yesterday they rolled back the change that would have caused the problem. Thanks for reporting this and let me know if there are any further issues.