Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Conditional Access Hybrid Azure AD Joined

Copper Contributor

At multiple at our customers we configured a policy that matches all cloud applications only can be accessed when they're using an Hybrid Azure AD Joined device. All their devices are synchronized from their on-premise AD towards Azure AD and they become Hybrid Azure AD joined.

The conditional access policies have worked for a few months but suddenly they receive a pop-up that their device is a non-corporate device.

This can often be resolved to exclude them from the conditional access policy and re-add them towards the policy.

We still didn't found a root cause why this happens so often?

What are the checks that are performed if a device is Hybrid Azure AD joined?

9 Replies
With what apps are you having this issue?
Exclaimer Cloud and some others with Outlook

The things I would check.

1.) Check the user's Sign-ins log

 - to confirm where the issue is at.

2.) On the PC run this command:
   DSREGCMD /status

 - That will tell you about the state of the PC.

3.) Check for multiple entries in AAD.

   Get-AzureADDevice -SearchString <PC name> | Format-List DisplayName, DeviceTrustType, DevicePhysicalIds, DeviceId

 - The one that has "ServerAd" for the DeviceTrustType is the object for the Hybrid Join.

 - There can be others, like AzureAD, which are the PC being joined more than once.

 - If the Hybrid join has completed the DevicePhysicalIds will be populated.

 

That's where I would start looking.

 

@Steve Mahoney This is for multiple users.

Already performed the steps you've mentioned but all results seems good. I have no clue why it's blocked the status of the PC says that it's Hybrid Azure AD joined. The PC's are all Hybrid Azure AD Joined in Azure AD.

The funny part is that when I review the sign-in logs of Exclaimer cloud, we see sometimes conditional access policy failures because device is not Hybrid Azure AD joined. But we've currently excluded the Exclaimer Cloud application from the policy's.

@Jordy Blommaert Maybe not a case for you but I see strange behaviors if the computer for some reason is both Azure AD registered and Hybrid Azure AD Join. This was a problem before a certain version of Windows 10 (I think version 1809). I've also seen problems if the computer was recently domain joined (I guess it needs time to sync etc).

 

In either case, Microsoft seems to be doing a lot of changes on Windows 10 to make Hybrid Azure AD Join more reliable and functional so maybe you can see there are certain versions which have this problem?

@Jonas Back Thanks for the tip. I will review this with our customer.

There are indeed some devices that are Hybrid Azure AD Joined and Registered.

@Jordy Blommaert OK, the only really good way to get out of that mess (when the same device is both Azure AD Registered and Hybrid Azure AD Join) is to update Windows 10 to at least 1809. It should then sort it out by itself and delete the Azure AD Registered device (just give it a little bit time and reboots). Just deleting the Azure AD Registered device in Azure AD is not a good solution since they device will still think it's Azure AD Registered. It's not easy to fix from the client side either since Azure AD Registered is on per-user basis.

@Jonas Back We reviewed the version of the PC's they are all running Windows 10 Pro Version 1903

@Jordy Blommaert Then it should automatically removed the duplicated Azure AD Registered device. If you go to portal.azure.com > Azure Active Directory > Devices you can search for the name and see when it last had activity. Maybe the Azure AD Registered device haven't had any activity for a long time?