question

Sjoerd-0632 avatar image
0 Votes"
Sjoerd-0632 asked ·

Continous Re-Authenticate Android Devices

We've a problem with Applying Conditional Acces, and Android Devices.

"UserA@domain.com" is a member of group "GroupA". GroupA has some Conditional Acces Policies

  1. Restrict SharePoint

  2. Block Legacy

So the What If results are

alt text

The problem is that the users of GroupA have to re-authenticate every 1 or 2 hours on a Android Device.

The Error in Azure-AD is

alt text

On iOS (Same Conditional Acces Policy) the problem does not excist.

First I thought that my ADFS infrastructure was the problem, because (test)users like userb@domain.onmicrosoft.com doesn't have the problem.

So last week we migrated from ADFS to Passtrough Authentication. But the problem still excist.

Tried so far

  • Excempt ADFS infrastructure

  • Multiple Android Version (5,7,9)

  • Multiple Users (@*.onmicrosoft.com accounts does not have the problem)

  • iOS devices (no problems)

  • Windows devices (no problems)

  • Registred Android device (work profile) (Also works fine)

  • Change passwords

  • Contact Microsoft (Conditionial Acces policies are fine, please contact Android Outlook)

Can somebody get me in the right direction ?


























azure-ad-conditional-access
android.png (22.7 KiB)
error.png (34.4 KiB)
· 4
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sjoerd-0632 avatar image Sjoerd-0632 ·

Update when I use Bluemail on the same device with the same user. The problem does not excist.

0 Votes 0 ·
neray-MSFT avatar image neray-MSFT Sjoerd-0632 ·

@Sjoerd-0632

Has the device been enrolled with In-Tune ?
When you are using Bluemail from the device, you are ideally making a browser /authentication call.

0 Votes 0 ·
Sjoerd-0632 avatar image Sjoerd-0632 neray-MSFT ·

The device's are NOT enrolled in Intune. This is a byod scenario.
The Company Owned devices (who are enrolled in Intune) does not have the problem.

Bluemail does the excact same login screens as Outlook both ModernAuthentication

0 Votes 0 ·
Sjoerd-0632 avatar image Sjoerd-0632 ·

I've test 2 new scenarios.

Created the CA policy's on a other Azure AD tenant. Result = Same Problem

Created the CA policy's on a other Azure AD tenant which has only password hash sync. Result = This work''s fine

0 Votes 0 ·

1 Answer

MarileeTurscak avatar image
0 Votes"
MarileeTurscak answered ·

It seems like it might be unable to check for compliance, or there might be a policy or control in place that could be causing this. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditions

Are you able to pull the Azure AD sign-in logs and compare the authentication attempts?

·
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.