Home

Conditional Access - Required Device to be Compliant

%3CLINGO-SUB%20id%3D%22lingo-sub-184243%22%20slang%3D%22en-US%22%3EConditional%20Access%20-%20Required%20Device%20to%20be%20Compliant%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-184243%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20created%20a%20conditional%20access%20policy%20to%20only%20allow%20access%20to%20an%20application%20(Zendesk)%20where%20we%20use%20Azure%20AD%20Single%20Sign-on.%26nbsp%3B%20The%20policy%20does%20work%20if%20I%20select%20MFA%20or%20if%20I%20exclude%20my%20trusted%20IPs.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEvery%20setting%20will%20take%20effect%20on%20the%20policy%20with%20the%20single%20exception%20of%20the%20%22Require%20device%20to%20be%20marked%20as%20compliant%22%20option%20under%20Grant%20Access.%26nbsp%3B%20This%20will%20simply%20prevent%20access%20because%20after%20logging%20in%2C%20the%20device%20being%20use%20is%20not%20recognized%20as%20a%20compliant%20device...%20however%20in%20Intune%20and%20in%20Azure%20AD%20the%20device%20is%20defined%20as%20compliant.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20frustrating%20because%20we%20don't%20want%20to%20prompt%20for%20MFA%20on%20approved%20devices%2C%20i.e.%2C%20company%20provided%2Fmanaged%20laptops%20for%20our%20remote%20employees.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20been%20able%20to%20use%20this%20policy%20and%20if%20so%2C%20can%20you%20shed%20any%20light%20on%20why%20this%20might%20be%20an%20issue%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-184243%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-191439%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20-%20Required%20Device%20to%20be%20Compliant%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-191439%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20James%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Esince%20a%20few%20weeks%20you%20need%20to%20have%20a%20compliance%20policy%20assigned%20to%20your%20devices%20otherwise%20they%20are%20treated%20as%20non-compliant.%20So%20there%20are%20to%20options%20to%20get%20your%20device%20to%20a%20compliant%20state.%20Assign%20a%20compliance%20policy%20to%20the%20user%20or%20device%20or%20change%20the%20default%20to%20allow%20devices%20without%20compliance%20policy%20to%20be%20treated%20as%20compliant%20by%20default.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F33729i2E44826A0168D11E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22CA-not-compliant-default.png%22%20title%3D%22CA-not-compliant-default.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebest%2C%3C%2FP%3E%3CP%3EOliver%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-191374%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20-%20Required%20Device%20to%20be%20Compliant%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-191374%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20facing%20now%20the%20same%20issue%20with%20LOB%20app%20which%20is%20trying%20to%20connect%20to%20Exchange.%20Based%20on%20error%20it%20looks%20like%20during%20authorization%20app%20is%20not%20reporting%20device%20ID%20to%20Azure%2C%20that%20is%20why%20Azure%20is%20not%20able%20to%20process%20request.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETrying%20to%20fix%20that%20with%20support%20for%20almost%20a%20month.%20No%20luck%20yet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-189164%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20-%20Required%20Device%20to%20be%20Compliant%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-189164%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F10590%22%20target%3D%22_blank%22%3E%40James%20Stewart%3C%2FA%3E%3C%2FP%3E%3CP%3EHow%20do%20you%20have%20Access%20controls%20set%3F%20which%20checkboxes%20are%20ticked%20and%20require%20one%20or%20all%20selected%20controls%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
James Stewart
Occasional Contributor

I have created a conditional access policy to only allow access to an application (Zendesk) where we use Azure AD Single Sign-on.  The policy does work if I select MFA or if I exclude my trusted IPs. 

 

 

Every setting will take effect on the policy with the single exception of the "Require device to be marked as compliant" option under Grant Access.  This will simply prevent access because after logging in, the device being use is not recognized as a compliant device... however in Intune and in Azure AD the device is defined as compliant.  

 

This is frustrating because we don't want to prompt for MFA on approved devices, i.e., company provided/managed laptops for our remote employees.  

 

Has anyone been able to use this policy and if so, can you shed any light on why this might be an issue?

 

 

3 Replies

@James Stewart

How do you have Access controls set? which checkboxes are ticked and require one or all selected controls?

I'm facing now the same issue with LOB app which is trying to connect to Exchange. Based on error it looks like during authorization app is not reporting device ID to Azure, that is why Azure is not able to process request.

 

Trying to fix that with support for almost a month. No luck yet.

 

 

 

Hi James,

 

since a few weeks you need to have a compliance policy assigned to your devices otherwise they are treated as non-compliant. So there are to options to get your device to a compliant state. Assign a compliance policy to the user or device or change the default to allow devices without compliance policy to be treated as compliant by default.

 

CA-not-compliant-default.png

 

best,

Oliver

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies