If you are working with Office 365, some organizations will have the requirement that Office 365 data is only available offline when users are using their company-provided devices. This means users cannot sync work data onto their personal computers.
The configuration is pretty simple, this can be done through a simple Conditional Access policy:
I have been using this feature a lot for different customers, but some of the time users were receiving the following message when trying to reach Outlook from their company owned device.
When users are receiving this error, there are a couple of things I always check first. But in some cases, there weren’t a solution.
- Check if the device is Hybrid Azure AD Joined:
- Execute the command ‘dsregcmd /status’, the device state bit should be as follows.
- If you don’t see the output, troubleshoot your Hybrid Join.
- Validate that the device is showing up in the Azure AD portal as ‘Hybrid Azure AD Joined’.
- Check if the PRT is valid:
- A PRT is used for authentication to Azure AD. Within the same output of the ‘dsregcmd /status’ command, you need to locate the ‘SSO State’ bit.
- Here AzureAdPrt should state ‘yes’ and the ‘AzureAdPrtExpiryTime should be later than the current time.
If all of the above checks out, it’s time to check the Azure AD sign-in logs. Here I have found some weird cases where the Windows Sign-in Event was showing the device as Hybrid Azure AD Joined:
But when using Outlook/Teams/Onedrive the device wasn’t being recognized as hybrid:
Restarting the device didn’t create a solution.
The issue here is that the PRT wasn’t being sent by our Office applications. The PRT was ‘stale’ because the laptop only connected to Wifi the user logged in, which means our applications don’t have a valid PRT.
The solution for this is simple, let the user logoff and log back on Windows in without disconnecting from the network.
It’s such a simple solution that I was contemplating making this blog. But this has happened to multiple customers and there isn’t a lot of information out there. I hope this helps someone!