Entra Conditional Access Policy Issue

Cindy Zhang 20

I am the IT administrator of our company, and for security concerns, I set up one new conditional access policy in Entra, the policy is that our employees' MS accounts can only logged from Intune registered and compliant devices, the policy works well with almost everyone except one user. This user uses Android phone and windows laptop, the issue is with his android phone. He can't use applications which need to login his MS account, and the alerts continue popping up asking him to type in credentials. I checked his sign-in logs and found there were a lot of Gmail login trials, so I excluded Gmail from the policy, and I also excluded his android phone from the policy by adding the phone's Entra device ID. However, he still cannot use the applications and still receives a lot of alerts. The sign-in logs show there are still Gmail login attempts after this user uninstalled Gmail from his phone. That is really weird. I don't know how to fix this issue.

Xenia-MSFT 3,520 Reputation points Microsoft Vendor

2025-01-09T05:51:39.66+00:00

@Cindy Zhang Thanks for posting in our Q&A.

For this issue, could you please tell us which app continue popping up asking the user to type in credentials?

In addition, based on my understanding, if the android device is excluded from this conditional access policy, this conditional access policy will not apply to this device.

If there is anything update, feel free to let us know.
Chaithra E 85 Reputation points Microsoft Vendor

2025-01-09T17:09:39.2633333+00:00
Hello @Cindy Zhang ,

As discussed, I understand the issue is related to a specific Conditional Access policy affecting a user on their Android phone, but not on their Windows laptop, and that the device has been excluded from the policy.

To help us further investigate, could you please let us know which app is prompting the user to enter their credentials repeatedly?

Additionally, could you please:

Check the device compliance status in Intune?

Review the Entra sign-in logs in the Azure portal for any details regarding the sign-in failure?

Once you have this information, please share any relevant logs or screenshots (ensuring that personally identifiable information is removed).

Thank you

1 answer

Cindy Zhang 20 Reputation points

2025-01-09T16:16:06.04+00:00

The alert popped up and led the user to open 'Company Portal' and type in credentials. 'Company Portal' is the Microsoft application used to register the device.

That's the weird thing, I added one condition into the policy, if the device ID equals this user's phone's Entra device ID, the device will be excluded from this policy. I don't know why he still received the alerts.
Please sign in to rate this answer.
Xenia-MSFT 3,520 Reputation points Microsoft Vendor

2025-01-10T02:40:18.95+00:00

@Cindy Zhang It is strange. I haven't met this issue. It seems needed to check some logs on your device to find the root cause. With Q&A limitation, Q&A is not a good channel for such log analysis issue. Given this situation, we suggest creating an online support ticket do the troubleshooting. Here is the support link:

https://learn.microsoft.com/en-us/mem/get-support

Chaithra E 85 Reputation points Microsoft Vendor

2025-01-10T16:47:23.12+00:00

Hello @Cindy Zhang ,

Following up on Xenia’s comment, I agree that due to the limitations of the Q&A channel for log analysis, we should raise a support ticket with Microsoft to address the issue.
Please submit a ticket for troubleshooting via the following link: Microsoft Support.

Thank you.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Entra Conditional Access Policy Issue

1 answer

Your answer