Conditional Access problem - OneDrive Sync client not passing device ID

Ying Wu 25 Reputation points
2023-10-25T17:32:40.2933333+00:00

We have a policy to block SharePoint access on unmanaged devices.

I have user can't log into his OneDrive, and in his sign-in logs, the login is blocked by this policy because his device is unknown (without the deviceID in the login details --> Device Info tab).

At the same time, he can log into SharePoint and Teams, they have the device ID in the login details.

I don't understand why it works for some apps not for OneDrive, and how to resolve this issue?

We have tried to reboot twice.

Thanks very much for your time and assistance.

OneDrive
OneDrive
A Microsoft file hosting and synchronization service.
1,076 questions
SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,597 questions
Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
412 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,885 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,448 questions
0 comments
Accepted answer
  1. Marilee Turscak-MSFT 36,841 Reputation points Microsoft Employee
    2023-10-27T22:34:14.35+00:00

    Hi @Ying Wu !

    In order to pass the device identity and satisfy device-based Conditional Access policies, it is necessary for the App to send the Primary Refresh Token. If all the other applications are able to send the PRT it likely means that the device is correctly registered but for some reason the application is not able to send the PRT, in which case the issue would not be caused by Conditional Access itself but by the app itself.

    That being said, you might be able to resolve this by unlinking the user account from Onedrive and signing in again to trigger a new PRT. (Let me know if this is the case, as this could suggest that the CA policy is not aware of the PRT.)

    Without being able to see your sign-in logs it will be harder to isolate the root cause. That being said, if you still face the issue, you can feel free to send me an email at AzCommunity@microsoft.com ("Attn: Marilee Turscak") and include your subscription ID so that I can enable a one-time free support case for you.

     https://video2.skills-academy.com/en-us/sharepoint/enable-conditional-access

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.