Forum Discussion

vis-mes's avatar
vis-mes
Copper Contributor
Dec 02, 2025

Conditional Access Policy Not Allowing Users to Access AVD

We have an existing conditional access policy which requires a users' device to be marked as "compliant" in order to access "All Agent Resources". We are trying to deploy an AVD as an alternative to allowing users to use personal devices, but this CA policy seems to be interfering with users being able to access the AVD via Windows App. Yhe device they're accessing from isn't "Compliant" with Intune enrollment being one of the requirements for being compliant.  Again, we do not want to allow personal devices into Intune which the MSP allowed previously.

For the CA policy it's applied to all users EXCEPT for specific users in an exclusion group. Putting users in this exclusion group allows them to access the AVD via Windows App but at this point they can just access all resources from their personal machine defeating the purpose of the AVD.

Target Resources
Include All Resources
Exclude: The AVD Itself, Windows 365, Azure Virtual Desktop, Azure Windows VM Sign-in

Conditions
Device Platforms - Windows, MacOS
Client apps - Browser, Mobile apps and desktop clients, exchange ActiveSync clients, other clients are checked

Grant Access
Require MFA and Require device to be marked as compliant are both checked.

Access to the AVD works in the browser but not in Windows App.

Conditional Access

1 Reply

  • Bogdan_Guinea's avatar
    Bogdan_Guinea
    Iron Contributor
    Dec 05, 2025

    vis-mes​ 

    Hi,

    you do know that you are requiring a Compliant device in order to be able to use AVDs and also mentioned you are excluding AVD itself, Windows 365, and Azure Windows VM sign-in from the target resources.

    The problem is that this protects the session hosts but does not affect the client device connecting.

    In your case the CA policy is most likely enforcing device compliance for the local client device. 

     

     

     

     

     

     

     

     

     

    Access via browser works because the browser path uses different Conditional Access signals than the Windows App client.

    Check this Link specifc for your case also:

    https://learn.microsoft.com/en-us/intune/intune-service/protect/app-based-conditional-access-intune

    What are you expectations reagrding this CAP for the Grant Control "Require Device to be marked as compliant"?

    Good luck!

     

     

Resources