AVD sign-on issue Azure Hybrid joined devices

%3CLINGO-SUB%20id%3D%22lingo-sub-3069010%22%20slang%3D%22en-US%22%3EAVD%20sign-on%20issue%20Azure%20Hybrid%20joined%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3069010%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20starting%20yesterday%20we%20have%20been%20having%20issues%20signing%20into%20AVD.%20We%20have%20a%20CA%20policy%20in%20place%20restricting%20only%20hybrid%20joined%20devices%20access%2C%20when%20accessing%20AVD%20we%20are%20presented%20with%20error%20%22You%20cannot%20get%20there%20from%20here.%20This%20application%20contains%20sensitive%20information%20and%20can%20only%20be%20accessed%20from%20Company%20XXX.%20Company%20XXX%20domain%20joined%20devices.%20Access%20from%20personal%20devices%20is%20not%20allowed.%3C%2FP%3E%3CP%3EThis%20only%20started%20yesterday%20evening.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi, starting yesterday we have been having issues signing into AVD. We have a CA policy in place restricting only hybrid joined devices access, when accessing AVD we are presented with error "You cannot get there from here. This application contains sensitive information and can only be accessed from Company XXX. Company XXX domain joined devices. Access from personal devices is not allowed.

This only started yesterday evening.

6 Replies
To add it is seeing our hybrid joined devices as personal even though they are hybrid. I have ran dsregcmd /status and reports correct info.
So we have 2 CA Policies, one that requires users to MFA to access AVD. It triggers at sign-in to the RDC. The other prevents the use of the RDC on machines listed as personal OR non-Compliant.

Since Thursday night this has been failing and stating the user satisfied the requirement but doesn't have permission. When checking the device in Azure AD or Intune/Endpoint the device is showing compliant. We've not changed anything on our end so there's clearly something Microsoft has failed to acknowledge.

@DBR14 I rang Microsoft this morning, after waiting 15 minutes for them to answer I gave up. It's now say with our CSP to try and work out what's happened. Nothing has changed our side either, for now though I've had to disable the Hybrid joined CA policy otherwise no one can login!

@mdayton11 The workaround for us is when the user goes to sign in is to select "Use another Account" rather than the one cached and it works. But if you select the cached account, which is their work account it bombs on the CA Policy.  I can't tell if this is the CA policy malfunctioning or if there's some health attestation issues. Everything looks peachy when I check the endpoint's status, fully compliant and marked Corporate so it should be a non-issue.

 

DBR14_0-1643039025265.png

 

Thanks just tried that works for us too, yeah i'd noticed the email address field is no longer cached on their work account either prompting them to re-enter.
Yup, so it looks like you're getting hit with the same thing we are, I've seen bits and pieces of reports on Reddit as well. I don't really want to burn a CSP case for something clearly not our problem but the issue also doesn't appear to be acknowledged by MSFT. I will say the workaround does work, but it doesn't stop them from having the issue again, so we've had to communicate that to the staff for the time being.