MsalServiceException: AADSTS53001: Device is not in required device state: domain_joined.

Which Version of MSAL are you using ? Microsoft.Identity.Client v2.7.0

Platform UWP

What authentication flow has the issue?

• Desktop / Mobile
  • Interactive
  • Integrated Windows Auth
  • Username Password
  • Device code flow (browserless)
• Web App
  • Authorization code
  • OBO
• Web API
  • OBO

Other? - please describe;

Is this a new or existing app? The app is in production, I haven’t upgraded MSAL, but started seeing this issue. The conditional access policy to make sure de device is domain joined has been added to AAD. Also using the latest version of MSAL or even the Preview version of MSAL giving the same error.

Repro

• Enable the conditional access policy. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/media/require-managed-devices/10.png
• On a domain joined device, the UWP app tries to acquire a token with scope “https://graph.microsoft.com/User.Read” or “https://outlook.office365.com/Calendars.Read”.

string[] scopes = new string[] { "https://graph.microsoft.com/User.Read" };
await publicClientApp.AcquireTokenByIntegratedWindowsAuthAsync(scopes);
or
await publicClientApp.AcquireTokenAsync(scopes);

• In Package.appxmanifest i added these capabilities.

  <Capabilities>
    <Capability Name="internetClient" />
    <Capability Name="privateNetworkClientServer" />
    <Capability Name="internetClientServer" />
    <uap:Capability Name="enterpriseAuthentication" /> 
    <uap:Capability Name="userAccountInformation" />
    <uap:Capability Name="sharedUserCertificates" />
  </Capabilities>

Expected behavior Acquire a token.

Actual behavior Receiving exception MsalServiceException. error: “interaction_required” error_description: “AADSTS53001: Device is not in required device state: domain_joined.”

Possible Solution I think the UWP app is not able to determine if the device is domain joined. Maybe i’m missing some capabilities?