Azure AD Enterprise app non-interactive sign-ins fail due to missing device id though devices are enrolled

asked 2022-06-13T17:19:14.107+00:00
Rasmus Emil Møller 1 Reputation point

We see a strange pattern of failed active and non-interactive sign-ins for a 3rd-party SP OAuth app reg. .

The users get the error message : "invalid grant" during login.

The sign-in logs show Conditional Access policy failure 53000 device is not compliant, and we notice that the Device ID field is empty for these failing sign-ins

Only a subset of users get this error, which seems to be tied to certain combinations of users and workstations.

Everyone gets this error, if you use Chrome incognito or Edge inprivate modes.

If a user with this problem allows me to open a browser instance in MY OWN user context on HIS desktop VDI using runas or "Run as different user", I can sign in successfully to the website with no error and with the proper Device ID in the sign-in logs, so the problem is NOT isolated to his individual desktop VDI.

If I allow a user with this problem to open a browser instance in HIS OWN user context on MY OWN desktop VDI using runas / "Run as different user" , he can sign in successfully to the website with no error and with the proper device ID in the sign-in logs, so the problem is NOT isolated to the specific user in question.

I have come to believe that the problem could be due to issues with PRT (Primary Refresh Token) , as I read this article:

https://rakhesh.com/infrastructure/notes-of-azure-ad-authentication-sso-etc/

but I don't know how to troubleshoot this problem further.

TIA for any help solving this problem, as our security policies prohibit us from relaxing the compliance rules.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,552 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. answered 2022-06-13T22:14:40.177+00:00
    David Broggy 3,981 Reputation points Microsoft MVP

    Hi @Rasmus Emil Møller
    I wouldn't be testing with your user account since you likely have special privileges compare to the problem user account.
    I would:

    • create a new user with no special privileges/roles
    • optionally create a new vm or device that replicates the problem user's device

    Now do your testing and gradually keep adding permissions until you can login.

    Good luck.

    No comments