Forum Discussion
Android Fully Managed devices treated as personal after AD password change
Hi dammas,
I've seen similar behavior when the device registration state in Microsoft Entra ID falls out of sync with the compliance state in Intune. Even though the device remains compliant in Intune, Conditional Access evaluates it as unmanaged because the broker token or device registration isn't being refreshed correctly after the password change. In addition to excluding the Intune apps from your Conditional Access policy as suggested, I'd recommend checking the Microsoft Entra sign-in logs for the affected users. Specifically, compare the Device ID, Join Type, and Compliant attributes in the sign-in details against what's shown in Intune. Any mismatch can help pinpoint whether the issue is with registration, token renewal, or compliance evaluation.
Since the issue has become more widespread since January, I'd also review recent changes to your Conditional Access policies, authentication methods, and Android Enterprise enrollment configuration. If multiple users are affected with no common device model or Android version, it may indicate a service-side regression rather than a configuration issue.
If you haven't already, I'd recommend opening a Microsoft support case and providing correlation IDs from the failed sign-ins along with Intune diagnostics from an affected device. That gives Microsoft the telemetry needed to trace the authentication and device registration flow end to end.