Conditional access fails on unknown device when using Get-MsalToken with DeviceCode

[andersnese]

I am trying to get a token using Get-MsalToken -ClientId "xxxxx" -TenantId "xxxxx" -DeviceCode

I use Edge to go to https://microsoft.com/devicelogin, but after logging in I get the following error: Your sign-in was successful but your admin requires the device requesting access to be managed by XXXXXXXXX to access this resource.

Looking in the Sign-Ins log in AAD, I see that the login is blocked by Conditional Access rule enforcing all logins to originate from managed AAD-joined devises. Basically, AAD does not recognize the device even though I am using Edge to login.

Is it possible to DeviceCode flow on AAD tentants blocking all logins from unmanaged devices?

[jazuntee]

This is a limitation of the device code flow in Azure AD today. Because the device authenticating could be different than the device receiving the token, device compliance on the authenticating device is not as important as device compliance on the originating device so it fails device compliance check. Yes, in most PowerShell cases, it is the same device but that cannot be validated and that is not what device code flow was designed for.

[aleixsr]

Hello, I'm getting this error since few weeks ago:

No code is being returned like it did.

Can you please help?