Forum Discussion
José Leonardo Ovalles Jimenez
Feb 07, 2024Copper Contributor
Conditional access with a Device compliant not working
I have this scenario:
1- Created Directive:
-Applies to all apps
-Any device
-2 access controls
*MFA or *Compliant Device
The problem is that it always asks for MFA even if the device is compliant
- MatejKlemencicBrass Contributor
Please review your sign-in logs to verify if the Device ID and Compliance status are listed under Device Info.
- keenanbrooksBrass Contributor
Hi,
Id 100% recommend keeping MFA on anyway, even with device compliancy being a setting.
Anyways, at the bottom of the grant settings you will see a "For multiple controls" setting. Is this set to "require one of the selected controls"?- José Leonardo Ovalles JimenezCopper ContributorHello ,
Thanks for the answer and for the recomendation.
Yes the control is set on "require one of the selected controls"- keenanbrooksBrass Contributor
The reason for my above recommendation is only requiring the MFA option on an 'OR' condition puts you at risk of token hijacking. You either only want Device Compliance or both enabled.
However back to your issue, at that point then I don't really know where you could go other than an MS ticket, as a workaround I would recommend spreading out your MFA policies. Create a group for corporate laptop owners and attach the group to the CA policy for require device compliance.
If your mobiles are BYOD then create a policy for IOS/Android device platforms requiring app protection policy and MFA.
Guest users require MFA, this can be done by ticking 'Guest or External users' in the users section.
Your registration campaign for MFA can still be deployed to all users so there's no issue on a conflict of laptop vs byod mobile. And this means that CA policies for accessing admin portals for example can still require MFA.
Sorry I couldn't be anymore help.