"Require device to be marked as compliant" Grant in Conditional Access - Does it work?

Copper Contributor

Hi

In our organisation we are using Windows 10 hybrid-joined laptop devices and Apple iPhone devices. All are "managed" devices (being Intune enrolled).

Over the past 6 - 9  months we have been working with Microsoft Support to try to resolve an issue whereby the "Require device to be marked as compliant" grant does not operate reliably as part of Entra CA Policy. The main issue has been with the Windows 10 laptops.  What we have found is that a significant minority of laptops which are clearly marked as Compliant in both Intune and in the AAD portal, nevertheless produce Sign in failures where a policy is evaluated which includes this grant. 

 

I am not posting here seeking technical support for this issue, for which an MS Support case is underway. 

 

Instead, I would like to ask the Community about their own experiences using CA Policy which includes this grant, and in particular, I am seeking out validation and feedback from other Microsoft customers who have been able to (or have tried to) implement CA policy including this grant. 

 

Obviously, there will always be support issues where once-compliant devices become non-compliant for whatever reasons might be applicable in any given environment - and such issues are within the scope of normal and expected behaviour. I am trying to establish whether customers are making practical use of this grant without issues where devices are (or appear to be) compliant.  

 

Fundamentally, my floated hypothesis is that the "Require device to be marked as compliant" grant might be one of those Entra features which offers a theoretical, ostensible benefit only, but which in practical terms is too unreliable at this stage of its maturity to be able to use it for day-to-day business critical workloads.  I would like to hear from anyone who is able to confirm or refute this hypothesis based on first-hand knowledge of an implementation that they are responsible for. Ideally I'd like to hear from IT managers or engineers working with customers with a user base of at least 50.

 

Many thanks in advance

Robert

 

 

1 Reply
I have the same issue so I'm following this thread and would love to know any results from support. My main issue with the phones, iPhones. The laptops and computers tend to be a less pressing issue since I have the office WAN IP added as a trusted location on the CA policy. My policy also allows FIDO keys when the device isn't Compliant, FIDO keys work great on computers, spotty on phones in terms of support.