I'm about to enable some new Conditional Access (CA) policies and I'm a bit worried after reviewing the failure reports. We've got 300 users, all using Windows laptops, which are hybrid joined. We also have around 350 mobile devices (Android, iPhone, iPad) enrolled in InTune, and most of them (about 98%) are compliant, whereas about 80% of the Windows laptops are compliant. Currently, we have some security measures in place like requiring multifactor authentication, blocking legacy authentication, and restricting access to devices not recognized or outside the allowed countries (which is just the US right now).
Starting in January, I'm planning to enable the "Require compliant or hybrid Azure AD joined device" policy for all users, but excluding a few break glass and directory sync accounts. It's set to apply to all resources and right now it's only in Report Only mode. However, the report shows a failure rate of around 35%, and I'm confused by these failures. For instance, I selected "Require one of the selected controls" since we know 80% of our Windows devices are compliant. I thought that would allow it to pass to the "Require Microsoft Entra hybrid joined device" condition. But the reports don't reflect that logic.
When I check the failed sign-in logs, the details indicate that the grant controls weren't satisfied because a compliant device was needed, despite the device being hybrid joined. Why is it showing as a failure instead of passing due to the hybrid join?
1 Answer
It sounds like a frustrating issue! When you see the failure reports, try checking the device info for those specific failed sign-ins. You might get a better idea of what's going wrong. Sometimes, devices can appear to be hybrid joined but may not be fully compliant due to configuration issues.
I looked at one of the failed sign-ins and noticed there's no Device ID shown. Instead, it just says something like "Browser: Chrome 143.0.0". The IP is from our office, and it should be using a hybrid joined laptop, right? Why wouldn’t that pass? Also, it shows Windows 10, but the device is actually running Windows 11.