Share via

[Conditional Access] Error Code 53000, but device is compliant.

Nathan Abshire 16 Reputation points
2022-01-24T20:35:21.983+00:00

My organization is doing some pilot testing for Azure CA. It's going great for most policies, but one policy in particular has me confused. Here are the details of the policy:

Policy name: (Test) Require MFA and compliant device for Azure management
State: On
User or workload identities: A group called CAPolicyPilotUsers, of which I am the only member.
Cloud apps or actions: Microsoft Azure Management
Conditions: (none)
Grant controls: Require both MFA and "Require device to be marked as compliant"
Session: (none)

The policy ensures that the pilot group's members are on compliant devices and that they can pass MFA challenges. MFA has been going well. However, the compliant device requirement has shown to be difficult.

!! Important to know going into this troubleshooting. I am testing on two devices. One device is joined to the matching on-prem work domain (I believe a policy auto-enrolls the device into MDM). The other device (the one with the issue) is a home PC that has been registered in MDM (in this case, InTune) via Company Portal. The Company Portal app's setup is complete and the status is healthy.

When signing in on the home PC, the following error message is provided:
168032-2022-01-24-14-10-35-sign-in-to-microsoft-azure-wor.png

This was snipped from Edge. The Windows 10 personal PC is completely up to date. The Edge profile matches the account being used to sign into the Microsoft Company Portal (in-scope for our CA's app target - Azure portal was also tested, and got the same issue).
Error 53000 indicates that the device isn't compliant. I beg to differ! Here's the personal PC, NATHAN-DESKTOP, when inspected in Azure:
168005-inked2022-01-24-14-18-01-nathan-desktop-microsoft.jpg

Here's the same machine's compliance policy info:
167989-inked2022-01-24-14-17-49-nathan-desktop-microsoft.jpg

Heck, even Company Portal on that machine shows the device is compliant.

Yet, when running in the Azure troubleshooter, the diagnostic info about the sign-in reports that the access control called "Require device to be marked as complaint" was submitted by the client as "Non-Compliant Non-Managed" which contradicts what I'm seeing when inspecting the device.

So, exactly how "compliant" does my compliant device need to be here? Azure says it's simultaneously compliant and non-compliant, depending where I'm looking.

Thank you in advance for any help or guidance :)

~Nathan

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
802 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,451 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,794 questions

10 answers

Sort by: Newest
Most helpful Newest Oldest
  1. Shaker Alsharman 0 Reputation points
    2023-09-04T12:15:52.5633333+00:00

    Error Code: 53000

    Request Id: ea9d67cd-6088-43ca-bdb4-e2ed12285100

    Correlation Id: f355ce37-c237-46b3-9f2c-5aad01171cd2

    Timestamp: 2023-09-04T12:09:51.040Z

    App name: Microsoft Office

    App id: d3590ed6-52b3-4102-aeff-aad2292ab01c

    IP address: 2001:16a2:78a8:6c00:843:f81a:67b4:b40b

    Device identifier: 1be6c952-c81a-4856-ab79-ee78043dd197

    Device platform: Windows 10

    Device state: Managed

    0 comments
  2. LDAdmin 1 Reputation point
    2022-09-22T16:05:49.973+00:00

    I had the same error. What I discovered was that the users peronal PC was noted at Company device instead of Unassigned similar to other home users.
    243900-win762015.png

    0 comments
  3. Nathan Abshire 1 Reputation point
    2022-03-21T19:08:58.757+00:00

    @Felippe Borges and everyone else,

    I have solved my issue. The issue is that the workstation in question was running Windows 10 Home, and not Windows 10 Pro. I upgraded the workstation from Home to Pro, and this resolved all remaining issues with device enrollment and conditional access using device compliance.

    I'm sure there are other causes, but this was the cause for my particular issue. Apparently Home does not provide the framework to officially declare device compliance.

    Hope this helps!

  4. Felippe Borges 56 Reputation points
    2022-03-18T22:31:24.157+00:00

    Hello Nathan! How are you?

    Have you fixed your issue? I'm have the issue with Teams and Onedrive.

    I'm using Windows 10 it wasn't enrolled by Intune.

    Activity Details: Sign-ins

    Failure reason: Device is not in required device state: {state}. Conditional Access policy requires a compliant device, and the device is not compliant. The user must enroll their device with an approved MDM provider like Intune.

    0 comments
  5. Nathan Abshire 16 Reputation points
    2022-02-03T13:40:23.003+00:00

    Okay, well, the sync error is now resolved! There was a personal VPN connection causing DNS issues and, when disabled, the sync is able to complete within minutes. I'll be keeping the VPN disabled for the remainder of the troubleshooting. Under the MDM item I can now see "Last Attempted Sync: The sync was successful"

    However, this still did not solve the CAP issue. The Azure Management resources are still blocked in any browser, and the message still says that my devices doesn't meet the org's requirements.

    Edit: don't know if it will help, but on the same pane where I can view the sync status, there's an option to create an MDM advanced diagnostic report, and I've attached that here.170989-mdm-diagnostic-report.pdf