Hi @J Worth ,
Issue summary
Users have compliant devices, but are getting blocked by a Conditional Access policy that requires compliant devices.
Symptoms
This can happen for a number of reasons that are documented in Conditional Access troubleshooting guide under the section, Devices appear compliant but users are still blocked. Common reasons are related to users lacking proper licensing, device compliance information taking some extra time to register for the device, and issues with certain device profiles.
Troubleshooting steps
1) Ensure that the user has an Intune license assigned for proper compliance evaluation.
2) Non-Knox Android devices need to click the Get Started Now link in the quarantine email they receive to be granted access. This applies even if the users are already enrolled in Intune.
3) When a device is first enrolled, it might take some time for compliance information to be registered for a device. Wait a few minutes and try again.
4) For iOS/iPadOS devices, an existing email profile might block the deployment of an Intune admin-created email profile assigned to that user, making the device noncompliant. In this scenario, the Company Portal app will notify the user that they aren't compliant because of their manually configured email profile, and it prompts the user to remove that profile.
5) A device might get stuck in a checking-compliance state, preventing the user from starting another check-in. If you have a device in this state:
Make sure the device is using the latest version of the Company Portal app.
Restart the device.
See if the problem persists on different networks (for example, cellular, Wi-Fi, etc.).
If the problem remains, contact Microsoft Support as described in Get support in Microsoft Endpoint Manager.
6) Check the additional troubleshooting steps in Troubleshooting Conditional Access: Devices appear compliant but users are still blocked
7) If you check the Troubleshooting and support tab under Azure Active Directory > Sign-ins > Troubleshooting and support, you should be able to see a clear reason why the sign-in failed such as a device that didn't meet compliance requirements.
If you still have this issue after checking these settings, you might need to create a support case to get this resolved. Please check the troubleshooting steps and if you still have this problem, feel free to reach out to me and I can help get a support case created.
-
If this answer was helpful to you, please remember to "mark as answer" so that others in the community with similar questions can more easily find a solution.