Jun 17 2021
- last edited on
Jan 14 2022
We already enforce MFA access to O365 using conditional access but we want to prevent users accessing O365 from non-company devices. We have set a conditional access policy to block access using the Device State condition - "all device state and exclude Device Hybrid AD joined". The issue is, when we enable this policy, it actually blocks our laptops, despite them being in Azure AD. The computers are synced from our on-premise AD using AAD sync.
When I look at the sign-in logs, I notice that the interactive logs do not contain the device ID for the laptop but the non-interactive logs do contain the device ID. We also have a policy that excludes access to Yammer from MFA. The sign-in logs for Yammer, shows single-factor authentication but also picks up the Device ID under Device info. So, it appears that SSO would work
This also appears to be device specific, as the logs show the device ID for some devices but not all. So, I'm certain the CA policies are working correctly and the issue lies with the device itself in some way.
I have ran DSregcmd and the powershell scripts dsregtool and test-deviceregconnectivity but they report everything as working fine.
Has anyone seen this issue? Also, can anyone advise, other than the scripts mentioned, is there any other way to troubleshoot this issue?
Many thanks in advance
Jun 19 2021 11:12 PM
Jun 21 2021 02:00 AM
Jun 28 2021 04:20 AM