Hello,
Based on your screenshot it looks like the users did not satisfy the Grant Controls.
The grant control can trigger enforcement of one or more controls.
Require multi-factor authentication (Azure AD Multi-Factor Authentication)
Require device to be marked as compliant (Intune)
Require Hybrid Azure AD joined device
Require approved client app
Require app protection policy
Require password change
Require terms of useAdministrators can choose to require one of the previous controls or all selected controls using the following options. The default for multiple controls is to require all.
Require all the selected controls (control and control)
Require one of the selected controls (control or control)
If any of the above are missing and they are required, then the access will be blocked.
I would check your conditional access policy. You can choose to require only one of the selected controls if needed.