For the RDS issue where Edge is not passing the DeviceID and Join Type, I found that the user needs to be signed in to the Edge with their work profile and not as a guest. After that the details are passed to Azure.
365 Apps not reporting Device ID or Join Type
Hi all,
This issue is happening on brand new install of RDS 2016 server with out of the box set up and minimal configuration for seamless sso.
Device is hybrid azure ad joined, users get prt, silent sso works fine via edge/chrome/ie.
The 365 apps for enterprise are not reporting device ID or join type to azure which is resulting in my CA policy to fail. It's set to require either compliant/or hybrid azure ad joined device to grant access.
Device filter (exception) is failing also because no device id is reported.
See photo below
This is the result that is passed to Azure during silent sso on a rds 2016 server.
Device info:
Device ID: BLANK
Browser
Rich Client v3.4.1.35249
This is the CA policy
Cloud apps: office 365
Conditions: any device
location: any
client apps: mobile apps/desktop clients
Grant access:
Require device to be compliant
or
Require hybrid azure ad joined device.
11 answers
Sort by: Most helpful
-
-
FrezaLc 1 Reputation point
2021-10-03T17:53:41.307+00:00 Device is hybrid azure ad joined and running server 2016 with rds installed(fully updated).
Any indication as to what could be happening ?
-
Mr Sbaa 356 Reputation points
2021-10-03T18:03:52.177+00:00 Does this issue only occur on this RDSH? Or can you also reproduce it on another machine?
I would say exclude any GPO, use clean Windows Server OS without any roles/apps and try to reproduce the problem. Seems something is messing up your auth token.
-
FrezaLc 1 Reputation point
2021-10-03T18:08:37.977+00:00 Only on the server with RDSH. I set up a 2nd server to test it, and the same issue.
Minimal configuration, only RDS role and 365 apps installed.
SSO works just fine on browsers and for onedrive, the rest have to be manually signed in. -
VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee
2021-10-04T06:00:34.243+00:00 @FrezaLc The Device ID and Device state does not come when the device is not known to Azure AD. That means if the device is either not registered or joined to Azure AD in some way. As per your comments the device us Hybrid Azure AD joined. Can you also share the result of "dsregcmd /status"
May I also know what exactly are you performing, do by any chance are you trying to use Outlook application on windows server, as that is not supported under Conditional access. Windows server only support Internet explorer as a conditional access method.
You can check the supported desktop apps and clients on : https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions#supported-mobile-applications-and-desktop-clients
-----------------------------------------------------------------------------------------------------------------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.