Conditional Access with Azure AD Registered devices not working

Leo Johnson 151 Reputation points
2021-03-29T11:27:06.997+00:00

Hi y'all,

Struggling with Conditional Access in combination with Azure AD Registered devices.

I want to allow browser access to Office 365 from Azure AD Registered devices.

But it keeps blocking access to office.com.

We are trying to setup Windows Information Protection without Enrollment, that's the reason our devices will be Azure AD Registered devices.

If i read the documentation correctly, Conditional Access should function with Azure AD Registered devices.

What am I missing?
82423-1.png82424-2.png

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,306 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,389 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2021-03-29T20:33:06.35+00:00

    Hello,

    Based on your screenshot it looks like the users did not satisfy the Grant Controls.

    The grant control can trigger enforcement of one or more controls.

    Require multi-factor authentication (Azure AD Multi-Factor Authentication)
    Require device to be marked as compliant (Intune)
    Require Hybrid Azure AD joined device
    Require approved client app
    Require app protection policy
    Require password change
    Require terms of use

    Administrators can choose to require one of the previous controls or all selected controls using the following options. The default for multiple controls is to require all.

    Require all the selected controls (control and control)
    Require one of the selected controls (control or control)

    If any of the above are missing and they are required, then the access will be blocked.

    I would check your conditional access policy. You can choose to require only one of the selected controls if needed.

    82488-grantaccess.jpg

    0 comments
  2. Aaron Oakwell 1 Reputation point
    2021-03-29T21:04:32.29+00:00

    Hi @Leo Johnson

    From the screenshots you’ve sent it looks to be that your conditional access policy requires a compliant device and thus enrolled into Intune.

    However as I understand it you are using WIP without enrolment you would likely have to remove that requirement from the grant controls section.

    0 comments
  3. Crystal-MSFT 42,631 Reputation points Microsoft Vendor
    2021-03-30T02:30:41.443+00:00

    @Leo Johnson From the sign in log, it shows the "Grant control" is not satisficed, It seems we configure "Require device to be marked as Compliant". But the device is not compliant. Could you check if the Azure AD registered device is enrolled into Intune and if it shows as Compliant.

    if this is a non compliant device in Intune, we can check the device compliance to see which setting is not met and fix it. But if the device is not enrolled into Intune, we can check if all the devices the user used are not enrolled into Intune. if yes, we can exclude the user from this conditional access policy. Or consider to enroll these devices into Intune and make them as compliant.

    Hope the above information can help.

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.