A lot of our customers are complaining about the Require Domain Joined device feature in Azure Active Directory. We've configured Hybrid Azure AD through AAD Connect. Devices are now Hybrid Azure AD joined also dsregcmd /status also shows that the device is Hybrid Azure AD Joined.
We've created some Conditional Access Policies where access is blocked when a device is not Hybrid Azure AD Joined. In our Azure AD Sign-in logs we see blocked attempts because the device is not Hybrid Azure AD Joined even when they work on a corporate PC. What is the reason that sometimes connections are allowed and sometimes the connection is blocked?
@Jordy Blommaert , you mention that you have 'some' ca policies so I am assuming more than 1 apply when a user signs in. Have you looked at the sign in logs for an affected user in Azure AD? Look for a successful and a failed one. When you click on it, a window will open from the bottom up, there's a tab there that reads 'Conditional Access'. That should give you some hints as to which CA policy is causing the block and might help in figuring out what's going on.
@Steve Hernou We already checked this. We've created some seprate policies one is when the user used the browser and the other one is when the users uses a client app.
The requirement is that the device is Hybrid Azure AD joined in both scenario's.
We have cases where Outlook, Sharepoint, etc. is successfull that he knows that the PC is Hybrid Azure AD joined but if the user uses Power BI that the connection is blocked because that same PC is not Hybrid Azure AD joined.
A little remark is that there are also PC's that are used by multiple users for example in the Production Fabric.