Configure and block SharePoint Online on Unmanaged Devices

Kevin Long Nguyen 20

Hello everyone,

I've configured SharePoint's access control - block unmanaged devices with the following conditional access policies:

Target resources: Office 365 SharePoint Online
Conditions: Client apps - Mobile apps & desktop clients
Grant access: Require device to be marked as compliant
Require Microsoft Entra hybrid joined device

My concern is that I am testing on my IOS device, which has already been registered and compliant with company portal is not allowed to sign-in Teams/SharePoint at all. What am I doing wrong?

User's image

The error while attempting to login was only "An error occurred." on Teams, and within the MS Authenticator it states the following:
User's image

Simon Burbery 681 Reputation points

2024-09-16T05:24:44.7233333+00:00

Can you confirm under "Grant" where you selected "Require device to be marked as compliant" and "Require Microsoft Entra hybrid joined device", at the bottom there is a selection for "Require all the selected controls" or "Require one of the selected controls". If that is set to "Require all the selected controls" that would explain the behavior.

Accepted answer

Simon Burbery 681 Reputation points

2024-09-16T05:24:14.81+00:00

Can you confirm under "Grant" where you selected "Require device to be marked as compliant" and "Require Microsoft Entra hybrid joined device", at the bottom there is a selection for "Require all the selected controls" or "Require one of the selected controls". If that is set to "Require all the selected controls" that would explain the behavior.
Please sign in to rate this answer.
Simon Burbery 681 Reputation points

2024-09-16T05:32:57.5733333+00:00

I would also set Client Apps to "Not Configured" as you want it to apply to any connection.

Kevin Long Nguyen 20 Reputation points

2024-09-16T06:03:14.0933333+00:00

Hi Simon
I can confirmed I have "Require all the selected controls" selected

Kevin Long Nguyen 20 Reputation points

2024-09-16T06:04:51.9166667+00:00

Seems like it doesn't want me to unselect all options and leave as not configured

Simon Burbery 681 Reputation points

2024-09-17T01:08:55.12+00:00

Okay - since you require all controls, your Android phone would need to be Compliant AND Hybrid Joined, which only applies to Windows clients. Change this to "One of the selected controls".

Simon Burbery 681 Reputation points

2024-09-17T01:10:55.4033333+00:00

You can select all of the client options, as you want it to apply to all, or just create a new policy and don't configure them (it applies to all by default). Hope that helped, cheers!

Kevin Long Nguyen 20 Reputation points

2024-09-17T02:59:23.6366667+00:00

Thank you Simon, that worked weirdly because the first time I chose One of the selected controls it did not worked, that was why I resorted to the other option. Nonetheless, the conditional access works fine now and as intended.

Simon Burbery 681 Reputation points

2024-09-17T03:18:17.5266667+00:00

Good stuff and thanks for accepting the answer 🙂

AllenXu-MSFT 21,046 Reputation points Microsoft Vendor

2024-10-03T02:20:58.37+00:00

@Simon Burbery ,

Thanks for your great answer and follow up :)
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Configure and block SharePoint Online on Unmanaged Devices

0 additional answers

Your answer