question

JWorth-6647 avatar image
0 Votes"
JWorth-6647 asked LuDaiMSFT-0289 edited

Conditional Access - App Enforced Policies - SharePoint File download from Personal enrolled Compliant device

We have recently rolled out conditional access linked with SharePoint limit access from Unmanaged Devices. We have a member of staff that's enrolled a personal Windows device into InTune and it's showing as compliant. However, they are unable to download files from SharePoint onto the device. The conditional access policy grants access from desktop apps if the device is marked as compliant OR Hybrid Azure AD joined. The device satisfies the "Marked as compliant" requirement. I am unsure why they are unable to download documents to their device as the conditional access policy requirements are satisfied.

Attached is a picture of the policy as well as the "What If" output.

Any help/advice would be greatly appreciated.

Many thanks.183235-capture.jpg183159-whatif.jpg


azure-ad-conditional-accessmem-intune-conditional-access
capture.jpg (94.5 KiB)
whatif.jpg (122.3 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered

Hi @JWorth-6647,

Issue summary
Users have compliant devices, but are getting blocked by a Conditional Access policy that requires compliant devices.

Symptoms
This can happen for a number of reasons that are documented in Conditional Access troubleshooting guide under the section, Devices appear compliant but users are still blocked. Common reasons are related to users lacking proper licensing, device compliance information taking some extra time to register for the device, and issues with certain device profiles.

Troubleshooting steps

1) Ensure that the user has an Intune license assigned for proper compliance evaluation.

2) Non-Knox Android devices need to click the Get Started Now link in the quarantine email they receive to be granted access. This applies even if the users are already enrolled in Intune.

3) When a device is first enrolled, it might take some time for compliance information to be registered for a device. Wait a few minutes and try again.

4) For iOS/iPadOS devices, an existing email profile might block the deployment of an Intune admin-created email profile assigned to that user, making the device noncompliant. In this scenario, the Company Portal app will notify the user that they aren't compliant because of their manually configured email profile, and it prompts the user to remove that profile.

5) A device might get stuck in a checking-compliance state, preventing the user from starting another check-in. If you have a device in this state:

Make sure the device is using the latest version of the Company Portal app.
Restart the device.
See if the problem persists on different networks (for example, cellular, Wi-Fi, etc.).
If the problem remains, contact Microsoft Support as described in Get support in Microsoft Endpoint Manager.

6) Check the additional troubleshooting steps in Troubleshooting Conditional Access: Devices appear compliant but users are still blocked

7) If you check the Troubleshooting and support tab under Azure Active Directory > Sign-ins > Troubleshooting and support, you should be able to see a clear reason why the sign-in failed such as a device that didn't meet compliance requirements.

If you still have this issue after checking these settings, you might need to create a support case to get this resolved. Please check the troubleshooting steps and if you still have this problem, feel free to reach out to me and I can help get a support case created.


If this answer was helpful to you, please remember to "mark as answer" so that others in the community with similar questions can more easily find a solution.

[3]: https://support.microsoft.com/en-us/office/block-downloads-for-view-only-files-in-sharepoint-and-onedrive-6051184b-62ac-4149-b874-13dcd40ef91e

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JWorth-6647 avatar image
0 Votes"
JWorth-6647 answered LuDaiMSFT-0289 edited

Many thanks for your detailed response. The device is a personal Windows 10/11 device and InTune says that it's compliant, however, access is still blocked to an installed version of Microsoft Office.

The screenshot below shows the device in question as being compliant:

183837-screenshot-2022-03-16-190155.png


However, when attempting to open a document in Microsoft Office, it says that the device doesn't meet organisation's compliance requirements:

183901-screenshot-2022-03-16-190343.png

Detailed Conditional Access Policy is as follows:

183818-screenshot-2022-03-16-190516.png
183892-screenshot-2022-03-16-190538.png
183893-screenshot-2022-03-16-190554.png

Many thanks.



screenshot-2022-03-16-190155.png (40.8 KiB)
screenshot-2022-03-16-190343.png (9.8 KiB)
screenshot-2022-03-16-190516.png (14.3 KiB)
screenshot-2022-03-16-190538.png (45.3 KiB)
screenshot-2022-03-16-190554.png (30.5 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LuDaiMSFT-0289 avatar image LuDaiMSFT-0289 ·

@JWorth-6647 From the screen shot you provided, I have noticed that the UPN shows null. However, it shows the UPN in my environment. I'm not sure if there is any connection with this issue.
184350-image.png

For the strange situation, it is suggested to create an online support ticket to get more accurate help. It is free. Here is the support link:
https://docs.microsoft.com/en-us/mem/get-support

1 Vote 1 ·
image.png (33.4 KiB)