Encountering sign in errors due to conditional access policy from AzureAD while enabling replication for Azure VM from automated opened chrome browser

Question

While chrome browser open by selenium and try to execute Enable replication in Azure portal, it throws "Conditional Access Failure" pop-up and asking for sing in again. After clicking on Sign in again, it throws the following "Device state: Unregistered". By my device is registered in Azure, and it is working in a regular chrome browser, it is not working only when the chrome browser open by automation code(We are using selenium).

In Azure AD,

Sign-in error code: 53000 Failure reason: Device is not in required device state: {state}. Conditional Access policy requires a compliant device, and the device is not compliant. The user must enroll their device with an approved MDM provider like Intune.

Additional Details: Your administrator might have configured a conditional access policy that allows access to your organization's resources only from compliant devices. To be compliant, your device must be either joined to your on-premises Active Directory or joined to your Azure Active Directory.            More details available at https://learn.microsoft.com/azure/active-directory/active-directory-conditional-access-device-remediation Troubleshooting compliance error messages for a work or school account

enter image description here

Answer 1

Please check Compatibility of Selenium WebDriver with a browser. You may try Upgrade /Downgrade your appropriate browser to the version supported by the latest Selenium Driver or vice versa. Otherwise Chromedriver for selenium maybe the possible cause for the issue.

note: Azure ad may take into account the device security state also into account whether suspicious behaviour has been detected on the device when determining device compliance.

You may need to install Windows extension when conditional access is used.

Please check the SCENARIOS of conditional access policy , if any of it is in your case

1. Administrators only want users from InTune compliant on the corporate network to be granted access to register their credentials. All others should be blocked from registering credentials by Conditional Access.

Note: If the user's sign-in does not satisfy the Conditions of a policy using a Grant control that is not set to Block, ESTS will issue the user an ACRS claim in their id_token. This will allow them to register their credentials.

2. Administrators want all users to be Blocked from registering their credentials by Conditional Access, except for those users that are on Hybrid Domain Joined computers

You may review the Azure AD sign-in events to see which Conditional Access policy or policies were applied and why.

1. Sign in to Azure portal as a global administrator, security administrator, or global reader.
2. Goto Azure Active Directory > Sign-ins.
3. Look for Sign-in to review and filter out unnecessary information.

To investigate further, click on the Policy Name. Conditional Access policies only will be success when all conditions are satisfied or configured. Check all the details and see if you missed any configuration.

Check if the policies have azuread joined or hybrid ad joined and compare the your device info if configured.

See Troubleshooting sign-in problems with Conditional Access for more info Or

You can use command :dsregcmd /status as an administrator to understand the state of devices in Azure Active Directory (Azure AD) .

If missed ask an administrator with access to the Azure portal can disable the policy that is impacting your sign-in. Else raise a support request

Also refer Azure AD Conditional Access Device Conditions for Device State