Home

Conditional Access Policy require domain joined device error

%3CLINGO-SUB%20id%3D%22lingo-sub-824289%22%20slang%3D%22en-US%22%3EConditional%20Access%20Policy%20require%20domain%20joined%20device%20error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-824289%22%20slang%3D%22en-US%22%3E%3CP%3EA%20lot%20of%20our%20customers%20are%20complaining%20about%20the%20Require%20Domain%20Joined%20device%20feature%20in%20Azure%20Active%20Directory.%20We've%20configured%20Hybrid%20Azure%20AD%20through%20AAD%20Connect.%20Devices%20are%20now%20Hybrid%20Azure%20AD%20joined%20also%20%3CSPAN%3Edsregcmd%20%2Fstatus%20also%20shows%20that%20the%20device%20is%20Hybrid%20Azure%20AD%20Joined.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EWe've%20created%20some%20Conditional%20Access%20Policies%20where%20access%20is%20blocked%20when%20a%20device%20is%20not%20Hybrid%20Azure%20AD%20Joined.%20In%20our%20Azure%20AD%20Sign-in%20logs%20we%20see%20blocked%20attempts%20because%20the%20device%20is%20not%20Hybrid%20Azure%20AD%20Joined%20even%20when%20they%20work%20on%20a%20corporate%20PC.%20What%20is%20the%20reason%20that%20sometimes%20connections%20are%20allowed%20and%20sometimes%20the%20connection%20is%20blocked%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-824289%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%20Azure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-829025%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20Policy%20require%20domain%20joined%20device%20error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-829025%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F205438%22%20target%3D%22_blank%22%3E%40Jordy%20Blommaert%3C%2FA%3E%26nbsp%3B%2C%20you%20mention%20that%20you%20have%20'some'%20ca%20policies%20so%20I%20am%20assuming%20more%20than%201%20apply%20when%20a%20user%20signs%20in.%20Have%20you%20looked%20at%20the%20sign%20in%20logs%20for%20an%20affected%20user%20in%20Azure%20AD%3F%20Look%20for%20a%20successful%20and%20a%20failed%20one.%20When%20you%20click%20on%20it%2C%20a%20window%20will%20open%20from%20the%20bottom%20up%2C%20there's%20a%20tab%20there%20that%20reads%20'Conditional%20Access'.%20That%20should%20give%20you%20some%20hints%20as%20to%20which%20CA%20policy%20is%20causing%20the%20block%20and%20might%20help%20in%20figuring%20out%20what's%20going%20on.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-829058%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20Policy%20require%20domain%20joined%20device%20error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-829058%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F31161%22%20target%3D%22_blank%22%3E%40Steve%20Hernou%3C%2FA%3E%26nbsp%3BWe%20already%20checked%20this.%20We've%20created%20some%20seprate%20policies%20one%20is%20when%20the%20user%20used%20the%20browser%20and%20the%20other%20one%20is%20when%20the%20users%20uses%20a%20client%20app.%3C%2FP%3E%3CP%3EThe%20requirement%20is%20that%20the%20device%20is%20Hybrid%20Azure%20AD%20joined%20in%20both%20scenario's.%3C%2FP%3E%3CP%3EWe%20have%20cases%20where%20Outlook%2C%20Sharepoint%2C%20etc.%20is%20successfull%20that%20he%20knows%20that%20the%20PC%20is%20Hybrid%20Azure%20AD%20joined%20but%20if%20the%20user%20uses%20Power%20BI%20that%20the%20connection%20is%20blocked%20because%20that%20same%20PC%20is%20not%20Hybrid%20Azure%20AD%20joined.%3C%2FP%3E%3CP%3EA%20little%20remark%20is%20that%20there%20are%20also%20PC's%20that%20are%20used%20by%20multiple%20users%20for%20example%20in%20the%20Production%20Fabric.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-832928%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20Policy%20require%20domain%20joined%20device%20error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-832928%22%20slang%3D%22en-US%22%3ECould%20it%20be%20they%E2%80%99re%20using%20Chrome%20web%20browser%20and%20the%20required%20extension%20in%20Chrome%20is%20not%20installed%3F%20More%20info%3A%20%3CA%20href%3D%22http%3A%2F%2Fwww.sysadminlab.net%2Foffice-365%2Fchrome-with-azure-ad-conditional-access-and-hybrid-azure-ad-join%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.sysadminlab.net%2Foffice-365%2Fchrome-with-azure-ad-conditional-access-and-hybrid-azure-ad-join%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20have%20also%20seen%20a%20few%20examplea%20where%20the%20app%20simply%20does%20not%20support%20Hybrid%20Aure%20AD%20join%20(even%20Microsoft%20apps)%20but%20I%20think%20that%20is%20just%202-3%20apps.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-833441%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20Policy%20require%20domain%20joined%20device%20error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-833441%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F19218%22%20target%3D%22_blank%22%3E%40Jonas%20Back%3C%2FA%3E%26nbsp%3Bthanks%20for%20your%20answer%20we%20will%20install%20this%20extension%20towards%20the%20Google%20Chrome%20users.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Jordy Blommaert
New Contributor

A lot of our customers are complaining about the Require Domain Joined device feature in Azure Active Directory. We've configured Hybrid Azure AD through AAD Connect. Devices are now Hybrid Azure AD joined also dsregcmd /status also shows that the device is Hybrid Azure AD Joined.

We've created some Conditional Access Policies where access is blocked when a device is not Hybrid Azure AD Joined. In our Azure AD Sign-in logs we see blocked attempts because the device is not Hybrid Azure AD Joined even when they work on a corporate PC. What is the reason that sometimes connections are allowed and sometimes the connection is blocked?

 

4 Replies

@Jordy Blommaert , you mention that you have 'some' ca policies so I am assuming more than 1 apply when a user signs in. Have you looked at the sign in logs for an affected user in Azure AD? Look for a successful and a failed one. When you click on it, a window will open from the bottom up, there's a tab there that reads 'Conditional Access'. That should give you some hints as to which CA policy is causing the block and might help in figuring out what's going on.

 

@Steve Hernou We already checked this. We've created some seprate policies one is when the user used the browser and the other one is when the users uses a client app.

The requirement is that the device is Hybrid Azure AD joined in both scenario's.

We have cases where Outlook, Sharepoint, etc. is successfull that he knows that the PC is Hybrid Azure AD joined but if the user uses Power BI that the connection is blocked because that same PC is not Hybrid Azure AD joined.

A little remark is that there are also PC's that are used by multiple users for example in the Production Fabric.

Could it be they’re using Chrome web browser and the required extension in Chrome is not installed? More info: http://www.sysadminlab.net/office-365/chrome-with-azure-ad-conditional-access-and-hybrid-azure-ad-jo...

We have also seen a few examplea where the app simply does not support Hybrid Aure AD join (even Microsoft apps) but I think that is just 2-3 apps.

@Jonas Back thanks for your answer we will install this extension towards the Google Chrome users.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies