Forum Discussion

  • Please review your sign-in logs to verify if the Device ID and Compliance status are listed under Device Info.

  • keenanbrooks's avatar
    keenanbrooks
    Brass Contributor

    Hi,

    Id 100% recommend keeping MFA on anyway, even with device compliancy being a setting.

    Anyways, at the bottom of the grant settings you will see a "For multiple controls" setting. Is this set to "require one of the selected controls"?

      • keenanbrooks's avatar
        keenanbrooks
        Brass Contributor

        The reason for my above recommendation is only requiring the MFA option on an 'OR' condition puts you at risk of token hijacking. You either only want Device Compliance or both enabled.

        However back to your issue, at that point then I don't really know where you could go other than an MS ticket, as a workaround I would recommend spreading out your MFA policies. Create a group for corporate laptop owners and attach the group to the CA policy for require device compliance.

        If your mobiles are BYOD then create a policy for IOS/Android device platforms requiring app protection policy and MFA.

        Guest users require MFA, this can be done by ticking 'Guest or External users' in the users section.

        Your registration campaign for MFA can still be deployed to all users so there's no issue on a conflict of laptop vs byod mobile. And this means that CA policies for accessing admin portals for example can still require MFA.

        Sorry I couldn't be anymore help.

Resources