Conditional Access - App Enforced Policies - SharePoint File download from Personal enrolled Compliant device

Question

We have recently rolled out conditional access linked with SharePoint limit access from Unmanaged Devices. We have a member of staff that's enrolled a personal Windows device into InTune and it's showing as compliant. However, they are unable to download files from SharePoint onto the device. The conditional access policy grants access from desktop apps if the device is marked as compliant OR Hybrid Azure AD joined. The device satisfies the "Marked as compliant" requirement. I am unsure why they are unable to download documents to their device as the conditional access policy requirements are satisfied.

Attached is a picture of the policy as well as the "What If" output.

Any help/advice would be greatly appreciated.

Many thanks.

Answer 1

Hi @J Worth ,

Issue summary
Users have compliant devices, but are getting blocked by a Conditional Access policy that requires compliant devices.

Symptoms
This can happen for a number of reasons that are documented in Conditional Access troubleshooting guide under the section, Devices appear compliant but users are still blocked. Common reasons are related to users lacking proper licensing, device compliance information taking some extra time to register for the device, and issues with certain device profiles.

Troubleshooting steps

1) Ensure that the user has an Intune license assigned for proper compliance evaluation.

2) Non-Knox Android devices need to click the Get Started Now link in the quarantine email they receive to be granted access. This applies even if the users are already enrolled in Intune.

3) When a device is first enrolled, it might take some time for compliance information to be registered for a device. Wait a few minutes and try again.

4) For iOS/iPadOS devices, an existing email profile might block the deployment of an Intune admin-created email profile assigned to that user, making the device noncompliant. In this scenario, the Company Portal app will notify the user that they aren't compliant because of their manually configured email profile, and it prompts the user to remove that profile.

5) A device might get stuck in a checking-compliance state, preventing the user from starting another check-in. If you have a device in this state:

Make sure the device is using the latest version of the Company Portal app.
Restart the device.
See if the problem persists on different networks (for example, cellular, Wi-Fi, etc.).
If the problem remains, contact Microsoft Support as described in Get support in Microsoft Endpoint Manager.

6) Check the additional troubleshooting steps in Troubleshooting Conditional Access: Devices appear compliant but users are still blocked

7) If you check the Troubleshooting and support tab under Azure Active Directory > Sign-ins > Troubleshooting and support, you should be able to see a clear reason why the sign-in failed such as a device that didn't meet compliance requirements.

If you still have this issue after checking these settings, you might need to create a support case to get this resolved. Please check the troubleshooting steps and if you still have this problem, feel free to reach out to me and I can help get a support case created.

-
If this answer was helpful to you, please remember to "mark as answer" so that others in the community with similar questions can more easily find a solution.

Answer 2

Many thanks for your detailed response. The device is a personal Windows 10/11 device and InTune says that it's compliant, however, access is still blocked to an installed version of Microsoft Office.

The screenshot below shows the device in question as being compliant:

However, when attempting to open a document in Microsoft Office, it says that the device doesn't meet organisation's compliance requirements:

Detailed Conditional Access Policy is as follows:

Many thanks.