Conditional Access - App Enforced Policies - SharePoint File download from Personal enrolled Compliant device

J Worth 46 Reputation points
2022-03-15T11:55:59.137+00:00

We have recently rolled out conditional access linked with SharePoint limit access from Unmanaged Devices. We have a member of staff that's enrolled a personal Windows device into InTune and it's showing as compliant. However, they are unable to download files from SharePoint onto the device. The conditional access policy grants access from desktop apps if the device is marked as compliant OR Hybrid Azure AD joined. The device satisfies the "Marked as compliant" requirement. I am unsure why they are unable to download documents to their device as the conditional access policy requirements are satisfied.

Attached is a picture of the policy as well as the "What If" output.

Any help/advice would be greatly appreciated.

Many thanks.183235-capture.jpg183159-whatif.jpg

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,909 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 34,801 Reputation points Microsoft Employee
    2022-03-15T22:43:44.053+00:00

    Hi @J Worth ,

    Issue summary
    Users have compliant devices, but are getting blocked by a Conditional Access policy that requires compliant devices.

    Symptoms
    This can happen for a number of reasons that are documented in Conditional Access troubleshooting guide under the section, Devices appear compliant but users are still blocked. Common reasons are related to users lacking proper licensing, device compliance information taking some extra time to register for the device, and issues with certain device profiles.

    Troubleshooting steps

    1) Ensure that the user has an Intune license assigned for proper compliance evaluation.

    2) Non-Knox Android devices need to click the Get Started Now link in the quarantine email they receive to be granted access. This applies even if the users are already enrolled in Intune.

    3) When a device is first enrolled, it might take some time for compliance information to be registered for a device. Wait a few minutes and try again.

    4) For iOS/iPadOS devices, an existing email profile might block the deployment of an Intune admin-created email profile assigned to that user, making the device noncompliant. In this scenario, the Company Portal app will notify the user that they aren't compliant because of their manually configured email profile, and it prompts the user to remove that profile.

    5) A device might get stuck in a checking-compliance state, preventing the user from starting another check-in. If you have a device in this state:

    Make sure the device is using the latest version of the Company Portal app.
    Restart the device.
    See if the problem persists on different networks (for example, cellular, Wi-Fi, etc.).
    If the problem remains, contact Microsoft Support as described in Get support in Microsoft Endpoint Manager.

    6) Check the additional troubleshooting steps in Troubleshooting Conditional Access: Devices appear compliant but users are still blocked

    7) If you check the Troubleshooting and support tab under Azure Active Directory > Sign-ins > Troubleshooting and support, you should be able to see a clear reason why the sign-in failed such as a device that didn't meet compliance requirements.

    If you still have this issue after checking these settings, you might need to create a support case to get this resolved. Please check the troubleshooting steps and if you still have this problem, feel free to reach out to me and I can help get a support case created.

    -
    If this answer was helpful to you, please remember to "mark as answer" so that others in the community with similar questions can more easily find a solution.

    0 comments No comments

  2. J Worth 46 Reputation points
    2022-03-16T19:07:16.25+00:00

    Many thanks for your detailed response. The device is a personal Windows 10/11 device and InTune says that it's compliant, however, access is still blocked to an installed version of Microsoft Office.

    The screenshot below shows the device in question as being compliant:

    183837-screenshot-2022-03-16-190155.png

    However, when attempting to open a document in Microsoft Office, it says that the device doesn't meet organisation's compliance requirements:

    183901-screenshot-2022-03-16-190343.png

    Detailed Conditional Access Policy is as follows:

    183818-screenshot-2022-03-16-190516.png
    183892-screenshot-2022-03-16-190538.png
    183893-screenshot-2022-03-16-190554.png

    Many thanks.