Forum Discussion
Android Fully Managed devices treated as personal after AD password change
Hello!
We have a huge problem...
We have recently observed an issue in our organization affecting Android Fully Managed devices.
After users change their domain password, within 1–3 days Conditional Access starts blocking access to Outlook and Teams. The system appears to treat the device as non-corporate, even though in Intune the device is still present, marked as corporate, and fully functional. It synchronizes both manually and automatically, and remote actions can be executed without any issues.
However, when users open Outlook or Teams, they receive messages such as “We need to secure your device” and “Install the Intune app from Google Play,” which does not make sense because Intune is already installed on the device.
When opening the Intune app, users see a “Update your password” prompt. After selecting it, they are redirected to a device registration screen.
Previously, it was sometimes possible to complete this process (although we did not understand why it was required), but recently re-registration consistently fails. The user clicks “Register,” and the process spins indefinitely without completing.
This issue is very difficult to troubleshoot. Device logs are not particularly helpful, and all users have Microsoft Authenticator configured. The problem appears randomly across users with no clear pattern—some devices were enrolled over a year ago, others just a month ago.
The only clue we have found so far points to a potential issue with the broker authentication token, but we do not know how to verify or resolve this, nor why it is happening in the first place.
We have been experiencing this issue since around January this year, but we noticed a significant increase in cases this month. In addition, there are more and more devices that can no longer be re‑registered from within the Intune app.
Has anyone encountered a similar issue or can provide guidance on how to investigate or fix this?
2 Replies
- Allan Solomon MejiaTin Contributor
Hi dammas,
I've seen similar behavior when the device registration state in Microsoft Entra ID falls out of sync with the compliance state in Intune. Even though the device remains compliant in Intune, Conditional Access evaluates it as unmanaged because the broker token or device registration isn't being refreshed correctly after the password change. In addition to excluding the Intune apps from your Conditional Access policy as suggested, I'd recommend checking the Microsoft Entra sign-in logs for the affected users. Specifically, compare the Device ID, Join Type, and Compliant attributes in the sign-in details against what's shown in Intune. Any mismatch can help pinpoint whether the issue is with registration, token renewal, or compliance evaluation.
Since the issue has become more widespread since January, I'd also review recent changes to your Conditional Access policies, authentication methods, and Android Enterprise enrollment configuration. If multiple users are affected with no common device model or Android version, it may indicate a service-side regression rather than a configuration issue.
If you haven't already, I'd recommend opening a Microsoft support case and providing correlation IDs from the failed sign-ins along with Intune diagnostics from an affected device. That gives Microsoft the telemetry needed to trace the authentication and device registration flow end to end.
- rahuljindalBronze Contributor
Your issue is a typical chicken and egg kind of a problem. M365 apps need to authenticate successfully to allow device state to be shared with Entra. However, your CA policies require a compliant device to be able to allow access to corporate data and complete the authentication process. Since the device state is not being captured or not recent, your users are stuck in a limbo. There are number if ways to address this, but the most effective way is to add Microsoft Intune and Microsoft Intune Enrollment apps in exclusion in resources of your CA policy in question. This should allow the enrolment\registration state to complete and re-evaluate the compliance data for Entra.