Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Hybrid-AD joined devices are being blocked

Copper Contributor

Hi

We already enforce MFA access to O365 using conditional access but we want to prevent users accessing O365 from non-company devices. We have set a conditional access policy to block access using the Device State condition - "all device state and exclude Device Hybrid AD joined". The issue is, when we enable this policy, it actually blocks our laptops, despite them being in Azure AD. The computers are synced from our on-premise AD using AAD sync.

 

When I look at the sign-in logs, I notice that the interactive logs do not contain the device ID for the laptop but the non-interactive logs do contain the device ID. We also have a policy that excludes access to Yammer from MFA. The sign-in logs for Yammer, shows single-factor authentication but also picks up the Device ID under Device info. So, it appears that SSO would work

 

This also appears to be device specific, as the logs show the device ID for some devices but not all. So, I'm certain the CA policies are working correctly and the issue lies with the device itself in some way. 

 

I have ran DSregcmd and the powershell scripts dsregtool and test-deviceregconnectivity but they report everything as working fine.

Has anyone seen this issue? Also, can anyone advise, other than the scripts mentioned, is there any other way to troubleshoot this issue?

 

Many thanks in advance

Roy

4 Replies
Here is the troubleshooting documentation:
https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-cur...
What does the "Join Type" column say for the device in question? (Can you post a screen shot)?
https://portal.azure.com/#blade/Microsoft_AAD_Devices/DevicesMenuBlade/Devices/menuId/
I have had issues with this before and worked with a couple of customers on this. Check out the following:
https://365bythijs.be/2019/11/02/troubleshooting-hybrid-azure-ad-join/
https://365bythijs.be/2020/09/03/azuread-device-not-recognized-as-hybrid-joined/

Troubleshooting steps are:
- Check dsregcmd output for correct status
- Validate status in AAD portal
- Make sure you use supported applications

On the computers with issues, do all applications have the issue or only some?
Hi guys

I have gone through the troubleshooting and everything appears to check out. Dsregcmd /status does not show any issues. The device is listed as enabled and "Hybrid Azure AD Joined" in the AAD portal.

If I use IE or Edge, the AAD logs show the device ID. We also have the office client apps installed but when I open up Outlook, Teams or Word they do not prompt for MFA but open up fine. However, I do not see any AAD sign-in logs, either interactive or non-interactive for these apps. If I use dsregtool or test-deviceregconnectivity, I can see the logs for these authentications and the Device ID is logged.

So, I need to understand why Outlook, Teams etc. do not show up in the AAD logs and then confirm whether these apps are sending the PRT or not.

Any suggestions?

Thanks
Roy
Have you enabled modern authentication in your tenant?