Device is not in required device state: compliant

[Rostes]

Hi Nestori Syynimaa, Thanks for your article. It's look really cool. I tested it in a test environment and I encountered some difficulty.

When using Invoke-AadIntPhishing, I successfully received the refresh token but it seems that I only get it for graph.windows.net. And when I want to use the token to send a message (outlook or teams) I have the following error: "Device is not in required device state: compliant." Looking forward to read you.

[NestoriSyynimaa]

First, the function can return only on access token, which in this case is for graph.windows.net. But you can use -SaveToCache switch to get tokens also for Outlook and Teams to be saved to the cache.

Second, seems that your organisation has conditional access policies in place blocking devices that are non-compliant. And the "device" here is referring to the deviceid claim of the access token. If it does not exists, the device is always non-compliant. And you can't get the deviceid claim using device code authentication method.

You can use Read-AADIntAccessToken to see the claims.