I'm having an issue with our session policy that's set to control file downloads, and it seems to intermittently block all file downloads from SharePoint for some users, despite their devices being classified as compliant in Intune. We've done some basic troubleshooting like clearing caches and testing in private browsing modes, plus we revoked user sessions via Entra, but nothing seems to help. Has anyone experienced this issue or can suggest what might be going wrong? Here's a quick rundown of the policy settings: Control file download (with inspection), user group is set to XYZ, and device tag must not equal Intune Compliant. Appreciate any insights!
3 Answers
Keep in mind that Intune compliance states don't sync immediately to Entra and then to Defender for Cloud Apps. If a session starts during that delay, MDCA might evaluate against an outdated compliance tag. Check the MDCA activity log for those users and see what device tag was evaluated at the time of the block, not what it shows now. It's also important to ensure the browser sessions are being routed through the reverse proxy correctly; inconsistent routing might look like a tag issue, but isn’t. Check the sign-in logs to see if the session was actually proxied; this will clarify whether it’s a tagging issue or something else.
Have you tried forcing a sync from the Intune portal on the affected devices? Revoking sessions in Entra might not clear the stale compliance tag in Defender; you might need to push an updated compliance state through Intune directly. It's worth a shot!
It sounds like the browser might not be passing the device identity to Entra correctly, which could cause Defender for Cloud Apps to see those sessions as non-compliant. When one of the affected users gets blocked, check their sign-in details in Entra ID under Monitoring and look at the Device info tab. If it shows as not compliant, that could confirm the problem. Make sure Chrome has `CloudAPAuthEnabled` set to `DWORD:1` in the registry, or consider deploying the Microsoft Single Sign-On extension. If they're using Edge, they need to be signed in with their work account, not a personal one. Using Incognito or InPrivate browsing can also disrupt the device check. Are all four users using the same browser?
The latest user is on Edge, and their sign-ins show as compliant. They're also confirmed to be using their work profile.
Good point! I'll get them to test that and report back.