Conditional Access Policy Not Allowing Users to Access AVD

vis-mes​ 

Hi,

you do know that you are requiring a Compliant device in order to be able to use AVDs and also mentioned you are excluding AVD itself, Windows 365, and Azure Windows VM sign-in from the target resources.

The problem is that this protects the session hosts but does not affect the client device connecting.

In your case the CA policy is most likely enforcing device compliance for the local client device. 

Access via browser works because the browser path uses different Conditional Access signals than the Windows App client.

Check this Link specifc for your case also:

https://learn.microsoft.com/en-us/intune/intune-service/protect/app-based-conditional-access-intune

What are you expectations reagrding this CAP for the Grant Control "Require Device to be marked as compliant"?

Good luck!