My organization is doing some pilot testing for Azure CA. It's going great for most policies, but one policy in particular has me confused. Here are the details of the policy:
Policy name: (Test) Require MFA and compliant device for Azure management
State: On
User or workload identities: A group called CAPolicyPilotUsers, of which I am the only member.
Cloud apps or actions: Microsoft Azure Management
Conditions: (none)
Grant controls: Require both MFA and "Require device to be marked as compliant"
Session: (none)
The policy ensures that the pilot group's members are on compliant devices and that they can pass MFA challenges. MFA has been going well. However, the compliant device requirement has shown to be difficult.
!! Important to know going into this troubleshooting. I am testing on two devices. One device is joined to the matching on-prem work domain (I believe a policy auto-enrolls the device into MDM). The other device (the one with the issue) is a home PC that has been registered in MDM (in this case, InTune) via Company Portal. The Company Portal app's setup is complete and the status is healthy.
When signing in on the home PC, the following error message is provided:
This was snipped from Edge. The Windows 10 personal PC is completely up to date. The Edge profile matches the account being used to sign into the Microsoft Company Portal (in-scope for our CA's app target - Azure portal was also tested, and got the same issue).
Error 53000 indicates that the device isn't compliant. I beg to differ! Here's the personal PC, NATHAN-DESKTOP, when inspected in Azure:
Here's the same machine's compliance policy info:
Heck, even Company Portal on that machine shows the device is compliant.
Yet, when running in the Azure troubleshooter, the diagnostic info about the sign-in reports that the access control called "Require device to be marked as complaint" was submitted by the client as "Non-Compliant Non-Managed" which contradicts what I'm seeing when inspecting the device.
So, exactly how "compliant" does my compliant device need to be here? Azure says it's simultaneously compliant and non-compliant, depending where I'm looking.
Thank you in advance for any help or guidance :)
~Nathan