Forum Discussion

rossonero's avatar
rossonero
Copper Contributor
Feb 17, 2021

No user affinity - conditional access

I have a conditional policy that require the device to be compliant. But I have devices that have no user affinity so there is no compliance evaluted. Will they still fit in under compliance, so the ...
Intune
mobile device management (mdm)
ThoDeutschmann's avatar
ThoDeutschmann
Copper Contributor
Feb 25, 2021

Hi Alo Press 

what confuses me in this scenario is why a device with no user affinity can show as Compliant in Endpoint Manager Center if it has a compliance policy assigned, and the same device will still show as N/A in compliance in Portal Azure.

 

Endpoint Manager CenterPortal Azure

ā€ƒ

Alo Press's avatar
Alo Press
Iron Contributor
Feb 25, 2021

ThoDeutschmann Hmm, right. Ok, I think I get the core of the issue now and here is my humble hunch on it. First Azure AD displays more states for devices than Intune and comes into play before even getting your devices enrolled - that can be the N/A state that you guys are reporting. My take utilises credentials but the logic itself should be similar to unaffiliated devices. Read more about the Device Identity https://docs.microsoft.com/en-gb/azure/active-directory/devices/overview and about Azure AD registered devices https://docs.microsoft.com/en-gb/azure/active-directory/devices/concept-azure-ad-register 

 

So to first recreate the N/A state for a device you can do the following with a new device:

  1. Install Company Portal on mobile device
  2. Sign into the Company Portal app but do not enrol
  3. From Azure AD > Devices, you can see a device without Compliance

 

The potential fix may vary depending on the exact scenario (and there are more I am sure):

  1. If the device isn't already managed, enrol it into Intune
  2. After enrolment make sure that you do not get a notification under your Devices menu
  3. Sync the device and note the change in Azure AD device list

 

Although this scenario applies to new devices it should have similarities to the existing devices, I just checked my test tenant and in there I did have a device that reported a similar state, where in Azure AD I had a N/A compliance and in Intune it was ok.. to dig deeper I opened my impacted device and checked the Company Portal app, it was reporting not being Registered even though my device was already in Intune.. unfortunately I was unable to get a screenshot of that before it resolved itself and that also resolved the incorrect reporting in Azure AD.

 

Alternatively you can check if the devices that you have in N/A state are actually the devices you have in Intune, in some cases there can be multiple entries for one device, this can be verified by comparing the Azure AD Device ID for AAD and Intune. 

 

And for more destructive testing you could unenrol the device, delete its Intune record and then Azure AD record, most likely the new enrolment would result in both records reporting correct information. 

 

Sorry for the long post, hopefully it helps.

Resources