Forum Discussion
Device In Azure AD showing as not compliant, yet in Intune the device is fine and compliant
Hello All
I have several devices that are now failing SSO logins because of Conditional Access retuning as the device is not Compliant,
Checking the device in Azure AD (Entra) is clearly shows the device is not compliant, which explains why the SSO logins are blocked.
But when I check the device in Intune (Endpoint) it shows the device is compliant and all good
(you will have to take my word the 2 screen shots are the same device as the host name is blurred)
When checking the device ID in Azure AD and Intune they all match as you would expect.
The Devices are checking in and Syncing with Azure and Intune on a regular basis.
Azure is just not updating with the correct Compliance status from Intune.
Any Ideas what is happening
Cheers
Colin
I have a couple of soultions which I'm still testing, I still don't know whats causing this which worries me.
Fix 1
This works and is quick, but I waiting to see if the device stays compliant or if it falls back in to the mismatch.From PowerShell import the AADInternals modules
import-module -Name aadinternals
Next need to grab an access token for MSGraphGet-AADIntAccessTokenForAADGraph -savetocache
This will prompt you to log in to Azure, you will need admin credsTo confirm the device is showing as not compliant in Azure,
Get-AADIntDeviceCompliance -deviceId AzureDeviceIDHereNow to switch is from noncompliant to compliant
Set-AADIntDeviceCompliant -DeviceId AzureDeviceIDHere -CompliantThis does fix the device and the user is able to login without Conditional Access getting in the way, but I don't know what caused this to go non compliant in the first place or if the root cause will trip it again later (but its been fine for 24 hours so far)
Fix 2
This also works, does not need PowerShell but takes a long time to fix
In InTune, we created a policy that was impossible to achieve, I used must have a max windows version and set an old version.
Applied this policy to the device, and waited for InTune to apply it and then mark the device as not compliant in InTune. Now Azure and InTune both agree the device status.Once it was not compliant in InTune, I removed that policy from it and waited for Intune to mark it as compliant, at that point Azure also updated correctly.
This method takes ages as we need to wait for the device to Sync with Intune a couple of times, on my test device it took several hours.To me it seems Azure got out of Sync with InTune some how, and would not update until there is a change on the InTune side, which is would explain why both fixes seem to work.
It's now 2025. This is still happening.
😔
My understanding from speaking to a Microsoft engineer is that the Intune database and Azure AD (Entra ID) database are separate, and that there is a sync between that two, this can be anywhere between 5-15 minutes, however I have seen this take as long as 2 hours. As far as I know, there is no way to force the databases to sync globally, or from the UI.
- Has anyone figured out the reason or fix for this? I am having the issue where the device was reporting compliance just fine now it says the device isn't compliant in the CA logs however when you go to the device in azure it shows it is compliant
I'm also getting the same issue. Azure AD seems unreliable in reporting correct compliance status from Intune - therefore Conditional Access via compliance is useless.
The Sign in logs don't give any more info than I posted before, or anything I can see of use,
This is a sign in from a device that shows as compliant in Intune but not in Azure AD
Going through the other tab in the Sign in logs, all looks fine apart from the Conditional Access Tab which shows the Sign in block due to non compliant
If there is something I have missed log wise you think will help please let me know
Ta
c
