AADSTS50131: Device is not in required device state

The error "AADSTS50131: Device is not in required device state" is not encountered every day. But when it does occur, many are often at a loss. Not least because this error and its cause is hardly documented or difficult to find. You can find out how to fix the AADSTS50131 error here.

Occurrence of the AADSTS50131 error

The error "AADSTS50131: Device is not in required device state" can occur in various situations. Usually, this is the case when the APIs are addressed by Windows Defender for Endpoint. Thus, the error can occur in custom developments that address the APIs. However, it is much more likely that the error is caused by an integration provided by Microsoft based on these APIs. For example, via PowerBI, the assignment of threat policies or when connecting a corresponding Microsoft Sentinel connector such as Microsoft 365 Defender.

The error states that the device does not match the defined status or the request is blocked due to suspicious activity, access policies, or security policies.

This statement is unfortunately very broad and therefore difficult to identify the actual problem. And this, although the cause is the same in every case according to my experience and the error code is therefore unambiguous. It is a classic Conditional Access Policy (legacy) called "[Windows Defender ATP] Device policy", which blocks access. This policy is automatically created when Microsoft Defender for Endpoint is connected to Intune and is documented by Microsoft at this link. Among other things, it also states that it has no impact on other cloud apps or resources, which has been proven to be misinformation.

Fixing the AADSTS50131 error

Fixing the cause of the error is basically quite simple. You only need to add an exception to the corresponding, often only policy.

  1. To do so, navigate in Azure Active Directory via Security, Conditional Access to Classic Policy or use this direct link.
  2. Select the policy "[Windows Defender ATP] Device policy".
  3. Define the required exception.

Once this is done, the desired authentication to use the APIs works immediately and as desired.

Attention: It is neither possible nor supported to edit the policy itself. Therefore, it should not be completely disabled or even deleted. If the policy is deleted, it can only be restored by disconnecting and reconnecting Intune and Microsoft Defender for Endpoint.

6 thoughts on “AADSTS50131: Device is not in required device state”

  1. As of the August 2023 Intune service release (2308), classic Conditional Access (CA) policies are no longer created for the Microsoft Defender for Endpoint connector. If your tenant has a classic CA policy that was previously created for integration with Microsoft Defender for Endpoint, it can be deleted.

    Reply
    • Hello and thank you for your question.
      Unfortunately, as documented by Microsoft as well as in this blog, you are not able to re-enable this policy manually. That’s why this blog does work with an exclusion, instead of deactivation/deletion of the policy.
      Sorry for that.

      Best,
      Yannic

      Reply
  2. Thank you!

    I was hitting this error when enabling the Defender for Endpoint connector in Sentinel. Completely glossed over the legacy CA policy!

    Reply

Leave a comment

en_GBEnglish