Description

With the SharePoint Admin Center Policy "Block access from apps on unmanaged devices" enabled, users are unable to login to M365 CLI, even when using an ADJoined Device.

Login fails for all federated users.
Login is successful for cloud-only accounts (onmicrosoft accounts).

Steps to reproduce

• Login to https://tenantname-admin.sharepoint.com and enable the Access control policy for unmanaged devices.
  

• This automatically creates an Azure AD Conditional Access Policy.
  

• Login to M365 CLI with "M365 Login" from a managed device

• Open https://microsoft.com/devicelogin in a browser and enter the code provided by M365 Shell, click next

• Enter email Address in the "Sign in" Window, click next

• "...taking you to your organizations sign-in page" pops up briefly.

• Message appears: Help us keep your device secure Your sign-in was successful but your admin requires the device requesting access to be managed by 'tenant-name' to access this resource.

Expected result

Successful sign in with the user provided during the sign-in dialog.

Actual result

Unable to Sign in.
Below the troubleshooting details, in the last line it says "Device State: DomainJoined"

When clicking okay, the browser is redirected to: https://login.microsoftonline.com/common/oauth2/nativeclient?error=access_denied&error_subcode=cancel

The logs show, that the conditional access policy created in the first step above blocked the login.

Environment

M365 Version: v3.3.0
OS: Windows 10 Version 1909

We use AD FS, users are authenticated onPrem.

Thanks for lookting into this
Matt