Conditional Access Conundrum: When Azure Reports Differ from Device Compliance


I am in the process of implementing a Conditional Access policy that restricts access to only those devices that are compliant. However, I’ve encountered a discrepancy: several devices are marked as compliant within both Azure and Intune, yet the Azure sign-in logs indicate otherwise. Could you shed light on what might be causing this inconsistency?”


When implementing a Conditional Access policy that restricts access to compliant devices, it’s crucial to ensure that the compliance status of devices is accurately reflected across all management platforms. In the scenario where devices are marked as compliant in both Azure and Intune, but the Azure sign-in logs show a different status, there are several potential factors to consider.

The most common cause of such discrepancies is the timing of synchronization between Intune and Azure Active Directory (Azure AD). Compliance status is determined by Intune and then reported to Azure AD. If there’s a delay in this reporting, the sign-in logs may not immediately reflect the latest status.

Policy Configuration

Another aspect to examine is the configuration of the Conditional Access policy itself. Ensure that the policy is correctly targeting the intended user groups and device states. Misconfiguration can lead to unexpected results in the sign-in logs.

Device Communication

Check the communication status of the affected devices. If a device hasn’t checked in with Intune for an extended period, its compliance status in Azure AD might not be up-to-date. This can happen if the device is offline or if there are network issues preventing communication with Intune.

User and Device Group Membership

Review the group memberships for both users and devices. Changes in group membership can affect access if the Conditional Access policy is group-based. It’s possible that the sign-in logs are reflecting a previous state before the latest group memberships have propagated.

Intune Compliance Policy Settings

Examine the specific compliance policies set in Intune. There might be settings that are not correctly applied or policies that conflict with each other, causing the compliance status to be reported incorrectly.

Azure AD Sign-In Logs

Lastly, the Azure AD sign-in logs themselves should be scrutinized. Look for any errors or warnings that could indicate why the device is not recognized as compliant. This can include issues with user credentials, device authentication, or policy application.

In conclusion, resolving this discrepancy will likely require a thorough review of the synchronization processes, policy configurations, device communication status, group memberships, and specific settings within Intune and Azure AD. By methodically checking each of these areas, you can identify and rectify the cause of the inconsistency, ensuring that your Conditional Access policy functions as intended.

Leave a Reply

Your email address will not be published. Required fields are marked *

Privacy Terms Contacts About Us