AADSTS50131: Device is not in required device state

The error "AADSTS50131: Device is not in required device state" is not encountered every day. But when it does occur, many are often at a loss. Not least because this error and its cause is hardly documented or difficult to find. You can find out how to fix the AADSTS50131 error here.

Occurrence of the AADSTS50131 error

The error "AADSTS50131: Device is not in required device state" can occur in various situations. Usually, this is the case when the APIs are addressed by Windows Defender for Endpoint. Thus, the error can occur in custom developments that address the APIs. However, it is much more likely that the error is caused by an integration provided by Microsoft based on these APIs. For example, via PowerBI, the assignment of threat policies or when connecting a corresponding Microsoft Sentinel connector such as Microsoft 365 Defender.

The error states that the device does not match the defined status or the request is blocked due to suspicious activity, access policies, or security policies.

This statement is unfortunately very broad and therefore difficult to identify the actual problem. And this, although the cause is the same in every case according to my experience and the error code is therefore unambiguous. It is a classic Conditional Access Policy (legacy) called "[Windows Defender ATP] Device policy", which blocks access. This policy is automatically created when Microsoft Defender for Endpoint is connected to Intune and is documented by Microsoft at this link. Among other things, it also states that it has no impact on other cloud apps or resources, which has been proven to be misinformation.

Fixing the AADSTS50131 error

Fixing the cause of the error is basically quite simple. You only need to add an exception to the corresponding, often only policy.

1. To do so, navigate in Azure Active Directory via Security, Conditional Access to Classic Policy or use this direct link.
2. Select the policy "[Windows Defender ATP] Device policy".
3. Define the required exception.

Once this is done, the desired authentication to use the APIs works immediately and as desired.

Attention: It is neither possible nor supported to edit the policy itself. Therefore, it should not be completely disabled or even deleted. If the policy is deleted, it can only be restored by disconnecting and reconnecting Intune and Microsoft Defender for Endpoint.