Device In Azure AD showing as not compliant, yet in Intune the device is fine and compliant

Copper Contributor

Hello All

 

I have several devices that are now failing SSO logins because of Conditional Access retuning as the device is not Compliant,

 

Checking the device in Azure AD (Entra) is clearly shows the device is not compliant, which explains why the SSO logins are blocked.

 

colinkitchen_2-1692022320624.png

 

But when I check the device in Intune (Endpoint) it shows the device is compliant and all good

 

colinkitchen_3-1692022336268.png

(you will have to take my word the 2 screen shots are the same device as the host name is blurred)

 

When checking the device ID in Azure AD and Intune they all match as you would expect.

 

The Devices are checking in and Syncing with Azure and Intune on a regular basis.

Azure is just not updating with the correct Compliance status from Intune.

 

Any Ideas what is happening

 

Cheers

Colin

5 Replies

@colinkitchen 

 

Any luck to dig out more hints from sign on logs?

@Kidd_Ip 

The Sign in logs don't give any more info than I posted before, or anything I can see of use,

This is a sign in from a device that shows as compliant in Intune but not in Azure AD

colinkitchen_0-1692098884891.png

Going through the other tab in the Sign in logs,  all looks fine apart from the Conditional Access Tab which shows the Sign in block due to non compliant 

If there is something I have missed log wise you think will help please let me know

 

Ta

c

 

 

@colinkitchen 

 

I'm also getting the same issue. Azure AD seems unreliable in reporting correct compliance status from Intune - therefore Conditional Access via compliance is useless.

I have a couple of soultions which I'm still testing, I still don't know whats causing this which worries me.

Fix 1
This works and is quick, but I waiting to see if the device stays compliant or if it falls back in to the mismatch.

From PowerShell import the AADInternals modules

import-module -Name aadinternals


Next need to grab an access token for MSGraph

Get-AADIntAccessTokenForAADGraph -savetocache


This will prompt you to log in to Azure, you will need admin creds

To confirm the device is showing as not compliant in Azure,

Get-AADIntDeviceCompliance -deviceId AzureDeviceIDHere

colinkitchen_1-1692359097147.png

 

Now to switch is from noncompliant to compliant

Set-AADIntDeviceCompliant -DeviceId AzureDeviceIDHere -Compliant

This does fix the device and the user is able to login without Conditional Access getting in the way, but I don't know what caused this to go non compliant in the first place or if the root cause will trip it again later (but its been fine for 24 hours so far)

 

Fix 2
This also works, does not need PowerShell but takes a long time to fix
In InTune, we created a policy that was impossible to achieve, I used must have a max windows version and set an old version.

colinkitchen_0-1692358962194.png


Applied this policy to the device, and waited for InTune to apply it and then mark the device as not compliant in InTune. Now Azure and InTune both agree the device status.

 

Once it was not compliant in InTune, I removed that policy from it and waited for Intune to mark it as compliant, at that point Azure also updated correctly.
This method takes ages as we need to wait for the device to Sync with Intune a couple of times, on my test device it took several hours.

 

 

To me it seems Azure got out of Sync with InTune some how, and would not update until there is a change on the InTune side,  which is would explain why both fixes seem to work.  

 

@colinkitchen 

 

My understanding from speaking to a Microsoft engineer is that the Intune database and Azure AD (Entra ID) database are separate, and that there is a sync between that two, this can be anywhere between 5-15 minutes, however I have seen this take as long as 2 hours. As far as I know, there is no way to force the databases to sync globally, or from the UI.