No user affinity - conditional access

%3CLINGO-SUB%20id%3D%22lingo-sub-2143769%22%20slang%3D%22en-US%22%3ENo%20user%20affinity%20-%20conditional%20access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2143769%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EI%20have%20a%20conditional%20policy%20that%20require%20the%20device%20to%20be%20compliant.%20But%20I%20have%20devices%20that%20have%20no%20user%20affinity%20so%20there%20is%20no%20compliance%20evaluted.%20Will%20they%20still%20fit%20in%20under%20compliance%2C%20so%20the%20CA%20policy%20don%C2%B4t%20kick%20them%20out%20as%20they%20don%C2%B4t%20have%20any%20compliance%20evaluated%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2143769%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2148192%22%20slang%3D%22en-US%22%3ERe%3A%20No%20user%20affinity%20-%20conditional%20access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2148192%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F511463%22%20target%3D%22_blank%22%3E%40rossonero%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20you%20say%20%22No%20user%20affinity%22%20do%20you%20mean%2C%20they%20are%20NOT%20logged%20in%20by%20any%20user%20or%20logged%20in%20with%20a%20common%20account%20like%20%22Device%20Enrollment%20Manager%20(DEM)%22%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20both%20these%20cases%2C%20CA%20will%20not%20be%20evaluated%2C%20so%20compliance%20is%20not%20calculated%20on%20them%20due%20to%20which%20it%20is%20not%20considered%20non-compliant.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2148381%22%20slang%3D%22en-US%22%3ERe%3A%20No%20user%20affinity%20-%20conditional%20access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2148381%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F223446%22%20target%3D%22_blank%22%3E%40Pa_D%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20all%20devices%20that%20have%20a%20system%20account%20should%20not%20be%20part%20of%20conditional%20access%20polices%3F%20-%20there%20is%20no%20workarround%20on%20this%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2149052%22%20slang%3D%22en-US%22%3ERe%3A%20No%20user%20affinity%20-%20conditional%20access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2149052%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F511463%22%20target%3D%22_blank%22%3E%40rossonero%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20see%20that%20my%20devices%20with%20a%20system%20account%20fails%20the%20compliance%2C%20so%20also%20fails%20the%20conditional%20access.%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20how%20can%20I%20either%20add%20those%20devices%20to%20a%20compliance%20policy%20-%20or%20how%20can%20I%20exclude%20them%3F%3CBR%20%2F%3E%3CBR%20%2F%3EI%20could%20easily%20make%20a%20device%20group%2C%20but%20this%20will%20not%20work%20as%20exclusion%20in%20Conditional%20access%2C%20as%20it%20must%20be%20user%20based.%20And%20the%20user%20%22system%20account%22%20is%20not%20a%20azure%20account%2C%20so%20wondering%20what%20can%20be%20done.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGuess%20that%20also%20non-user%20devices%2C%20should%20be%20able%20to%20be%20verified%20with%20compliance%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I have a conditional policy that require the device to be compliant. But I have devices that have no user affinity so there is no compliance evaluted. Will they still fit in under compliance, so the CA policy don´t kick them out as they don´t have any compliance evaluated?

9 Replies

@rossonero 

When you say "No user affinity" do you mean, they are NOT logged in by any user or logged in with a common account like "Device Enrollment Manager (DEM)"?

 

In both these cases, CA will not be evaluated, so compliance is not calculated on them due to which it is not considered non-compliant.

@Pa_D 

 

So all devices that have a system account should not be part of conditional access polices? - there is no workarround on this ?

@rossonero 

 

Can see that my devices with a system account fails the compliance, so also fails the conditional access.

So how can I either add those devices to a compliance policy - or how can I exclude them?

I could easily make a device group, but this will not work as exclusion in Conditional access, as it must be user based. And the user "system account" is not a azure account, so wondering what can be done.

 

Guess that also non-user devices, should be able to be verified with compliance ?

@rossonero 

1) Please clarify "System Account" here. Did you mean Windows system account? if not what is it?

2) From your description, you have targeted CA policy to user group. Is it correct?

3) Which OS are you focusing here?

 

@rossonero Hi I have just been doing some testing with Intune, no production environment. I have an iOS device with no user affinity. I can assign a compliance policy to the device in Endpoint Manager and have it report as compliant. However, under devices in Portal Azure, it doesn't report as compliant. Is this the same scenario you are having?

 

Endpoint ManagerEndpoint Manager

 

Portal AzurePortal Azure

 

Hi @rossonero 

 

Can you elaborate what exactly are you trying to do?

 

I think devices without users will not be impacted by Conditional Access even if their group is added as Target in the policy.

 

You can make those device appear as compliant by configuring the build-in compliance check, find Docs here: Device compliance policies in Microsoft Intune

 

complaince.png

@ThoDeutschmann 

Yes exactly that is the issue

Hi @Alo Press 

what confuses me in this scenario is why a device with no user affinity can show as Compliant in Endpoint Manager Center if it has a compliance policy assigned, and the same device will still show as N/A in compliance in Portal Azure.

 

Endpoint Manager CenterEndpoint Manager CenterPortal AzurePortal Azure

@ThoDeutschmann Hmm, right. Ok, I think I get the core of the issue now and here is my humble hunch on it. First Azure AD displays more states for devices than Intune and comes into play before even getting your devices enrolled - that can be the N/A state that you guys are reporting. My take utilises credentials but the logic itself should be similar to unaffiliated devices. Read more about the Device Identity here and about Azure AD registered devices here.

 

So to first recreate the N/A state for a device you can do the following with a new device:

  1. Install Company Portal on mobile device
  2. Sign into the Company Portal app but do not enrol
  3. From Azure AD > Devices, you can see a device without Compliance

 

The potential fix may vary depending on the exact scenario (and there are more I am sure):

  1. If the device isn't already managed, enrol it into Intune
  2. After enrolment make sure that you do not get a notification under your Devices menu
  3. Sync the device and note the change in Azure AD device list

 

Although this scenario applies to new devices it should have similarities to the existing devices, I just checked my test tenant and in there I did have a device that reported a similar state, where in Azure AD I had a N/A compliance and in Intune it was ok.. to dig deeper I opened my impacted device and checked the Company Portal app, it was reporting not being Registered even though my device was already in Intune.. unfortunately I was unable to get a screenshot of that before it resolved itself and that also resolved the incorrect reporting in Azure AD.

 

Alternatively you can check if the devices that you have in N/A state are actually the devices you have in Intune, in some cases there can be multiple entries for one device, this can be verified by comparing the Azure AD Device ID for AAD and Intune. 

 

And for more destructive testing you could unenrol the device, delete its Intune record and then Azure AD record, most likely the new enrolment would result in both records reporting correct information. 

 

Sorry for the long post, hopefully it helps.