Forum Discussion
Conditional access with a Device compliant not working
Thanks for the answer and for the recomendation.
Yes the control is set on "require one of the selected controls"
The reason for my above recommendation is only requiring the MFA option on an 'OR' condition puts you at risk of token hijacking. You either only want Device Compliance or both enabled.
However back to your issue, at that point then I don't really know where you could go other than an MS ticket, as a workaround I would recommend spreading out your MFA policies. Create a group for corporate laptop owners and attach the group to the CA policy for require device compliance.
If your mobiles are BYOD then create a policy for IOS/Android device platforms requiring app protection policy and MFA.
Guest users require MFA, this can be done by ticking 'Guest or External users' in the users section.
Your registration campaign for MFA can still be deployed to all users so there's no issue on a conflict of laptop vs byod mobile. And this means that CA policies for accessing admin portals for example can still require MFA.
Sorry I couldn't be anymore help.