We see a strange pattern of failed active and non-interactive sign-ins for a 3rd-party SP OAuth app reg. .
The users get the error message : "invalid grant" during login.
The sign-in logs show Conditional Access policy failure 53000 device is not compliant, and we notice that the Device ID field is empty for these failing sign-ins
Only a subset of users get this error, which seems to be tied to certain combinations of users and workstations.
Everyone gets this error, if you use Chrome incognito or Edge inprivate modes.
If a user with this problem allows me to open a browser instance in MY OWN user context on HIS desktop VDI using runas or "Run as different user", I can sign in successfully to the website with no error and with the proper Device ID in the sign-in logs, so the problem is NOT isolated to his individual desktop VDI.
If I allow a user with this problem to open a browser instance in HIS OWN user context on MY OWN desktop VDI using runas / "Run as different user" , he can sign in successfully to the website with no error and with the proper device ID in the sign-in logs, so the problem is NOT isolated to the specific user in question.
I have come to believe that the problem could be due to issues with PRT (Primary Refresh Token) , as I read this article:
but I don't know how to troubleshoot this problem further.
TIA for any help solving this problem, as our security policies prohibit us from relaxing the compliance rules.