This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 17%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EF%3C/text%3E%3C/svg%3E)
Hi all,
This issue is happening on brand new install of RDS 2016 server with out of the box set up and minimal configuration for seamless sso.
Device is hybrid azure ad joined, users get prt, silent sso works fine via edge/chrome/ie.
The 365 apps for enterprise are not reporting device ID or join type to azure which is resulting in my CA policy to fail. It's set to require either compliant/or hybrid azure ad joined device to grant access.
Device filter (exception) is failing also because no device id is reported.
See photo below
This is the result that is passed to Azure during silent sso on a rds 2016 server.
Device info:
Device ID: BLANK
Browser
Rich Client v3.4.1.35249
This is the CA policy
Cloud apps: office 365
Conditions: any device
location: any
client apps: mobile apps/desktop clients
Grant access:
Require device to be compliant
or
Require hybrid azure ad joined device.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 69%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECJ%3C/text%3E%3C/svg%3E)
For the RDS issue where Edge is not passing the DeviceID and Join Type, I found that the user needs to be signed in to the Edge with their work profile and not as a guest. After that the details are passed to Azure.
Device is hybrid azure ad joined and running server 2016 with rds installed(fully updated).
Any indication as to what could be happening ?
Does this issue only occur on this RDSH? Or can you also reproduce it on another machine?
I would say exclude any GPO, use clean Windows Server OS without any roles/apps and try to reproduce the problem. Seems something is messing up your auth token.
Only on the server with RDSH. I set up a 2nd server to test it, and the same issue.
Minimal configuration, only RDS role and 365 apps installed.
SSO works just fine on browsers and for onedrive, the rest have to be manually signed in.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 0%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVM%3C/text%3E%3C/svg%3E)
@FrezaLc The Device ID and Device state does not come when the device is not known to Azure AD. That means if the device is either not registered or joined to Azure AD in some way. As per your comments the device us Hybrid Azure AD joined. Can you also share the result of "dsregcmd /status"
May I also know what exactly are you performing, do by any chance are you trying to use Outlook application on windows server, as that is not supported under Conditional access. Windows server only support Internet explorer as a conditional access method.
You can check the supported desktop apps and clients on : https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions#supported-mobile-applications-and-desktop-clients
-----------------------------------------------------------------------------------------------------------------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
CA is set to allow access to desktop apps only if a device is compliant or hybrid azure ad joined.
SSO works on the server via onedrive and browsers (ie, chrome, edge), it works even with onedrive.
However, users have to manually sign in to office (for it to activate) as oppose to automatic activation, which fails due to device id/or join type not being reported.
So if a user logs in to RDS then opens word, it will say there's something wrong with your account click here to sign in.
Logs show that device is not in compliant state, no device id or join type is reported.
If they click sign in and enter their email manually, then the user's office gets activated and they can use it.
If i turn off the CA policy the first step is automatic and doesn't fail.
@FrezaLc - let me check on this behavior in my environment and report you back
Look forward to hearing back on your findings. My env is 2016 server running rds with latest 365 apps (enterprise) version.
@FrezaLc Was not able to repro the complete setup, but I think there are multiple component involved here, the SSO should work when you sign to the machine using the PRT (primary refresh token)that the user gets as that PRT token has the device ID which should then pass it on to the M365 Apps. But in these scenarios I am not sure if that is being passed as there are multiple users being connected to the RDS server. I also confirmed that without CA you do not have to login again and it just works.
I think this would need a deeper investigation and a support case will be suitable for this. Let me know if you already have a support plan otherwise I can enable you for a one time free support ticket.
@VipulSparsh-MSFT
Glad you were able to see that the sso works just fine without CA.
Once CA is in place, things are broken- at least with 365 apps.
If you can open a ticket with the proper department, then that would be really great.
Let me know if you need any information from me and how I can track the status of the ticket/solution.
@FrezaLc For opening a ticket I would need the subscription ID for your Azure. Please drop me an email at azcommunity@microsoft.com with subject "Atten-Vipul" and I will reach out to you with further steps.