Share via

Arc onboarding in the FDPO tenant?

JoseMoreno-MSFT 41 Reputation points Microsoft Employee
2025-11-14T12:59:01.16+00:00

I get the message "Your sign-in was successful but your admin requires the device requesting access to be managed by Microsoft Non-Production to access this resource" when running the Arc onboarding script on a nested VM and authenticating.

I am authenticating on a corporate laptop owned by Microsoft. I tried both https://microsoft.com/devicelogin as well as https://microsoft.com/devicelogin?tenant-id=<PII Removed>, same result.

The device from which I am authenticating shows to be compliant in the device portal (https://portal.manage-beta.microsoft.com/devices) and to have access to company resources.

This seems to be an issue with Conditional Access in the Microsoft Non-Production tenant, anybody else has seen this?

Azure Arc
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
Answer accepted by question author
  1. Bharath Y P 2,560 Reputation points Microsoft External Staff Moderator
    2025-11-14T15:49:33.4966667+00:00

    Hello JoseMoreno-MSFT,

    It seems like you're facing some issues with the Arc onboarding process related to Conditional Access in the Microsoft Non-Production tenant. The error message you're receiving indicates that the device requesting access needs to be managed, which often relates to Conditional Access policies set by company.

     The problem is the distinction between the CORP and the resource tenant (Non‑Production):

    • Your device is compliant and managed by the CORP tenant. This allows your personal sign‑in to succeed. The Conditional Access policy is active in the Non‑Production tenant and requires the device accessing the resource (the Azure Arc cloud app) to be managed and compliant in the Non‑Production tenant.
    • The token you receive is being used by the azcmagent on the nested VM, which is neither your compliant laptop nor a device managed by the Non‑Production tenant. Crucially, the Non‑Production tenant cannot natively trust the compliance claims from the CORP tenant unless Cross‑Tenant Access Settings are explicitly configured to do so.
    • Even if your laptop was the device making the call, Non‑Production still needs to be configured to trust the compliant device claim from CORP for your authentication to grant access. Since you are using the device code flow from the nested VM, the compliance check fails entirely.

    Here are a few points to verify and resolve the Conditional Access issue:

    • Verify device compliance in Non‑Production: Check whether the device is enrolled in Intune for the Non‑Production tenant and part of the required groups/policies.
    • Review Conditional Access policies: Confirm which policies are applied in Non‑Production, and whether they specifically require device enrollment and compliance in that tenant.
    • Confirm tenant scoping in login flow: Ensure the device login process is correctly scoped to Non‑Production. Using https://microsoft.com/devicelogin?tenant-id=<tenant-id> directs authentication to the right tenant, but Conditional Access still enforces Non‑Production’s compliance requirements.

    If you’ve still experiencing issues, please help us with the below details:

    1. Is your device enrolled in Intune for the Non‑Production tenant, or only in CORP?
    2. Have the Conditional Access policies in Non‑Production been reviewed?
    3. Is the login flow correctly scoped to Non‑Production when using the tenant‑ID parameter?
    4. Do you encounter the same issue with other Non‑Production resources, or only with Azure Arc onboarding?

    Hope this helps, please let us know if you need further assistance, thanks.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-11-14T12:59:20.5933333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    It seems that the issue you are encountering is related to Conditional Access policies in your Microsoft Non-Production tenant. The message you received indicates that while your sign-in was successful, the admin has set a requirement for the device to be managed by Microsoft Non-Production to access the resource.

    To troubleshoot this issue, you can follow these steps:

    1. Check Device Compliance: Ensure that the device you are using is compliant with the Conditional Access policies set by your organization. You mentioned that it shows compliant in the device portal, which is a good sign.
    2. Review Conditional Access Policies: You may need to review the Conditional Access policies that are applied to your user account and the device. This can be done by an admin in the Azure portal under Microsoft Entra ID > Security > Conditional Access.
    3. Sign-in Logs: Check the sign-in logs in the Azure portal to see if there are any specific errors or details related to your sign-in attempt. This can provide more insight into why access is being denied.
    4. Contact Admin: If everything seems correct on your end, it may be necessary to contact your IT admin to ensure that your device is recognized as compliant and to verify if there are any specific policies that might be affecting your access.

    Since you are using a corporate laptop, ensure that it is properly enrolled and managed under the correct policies for the Non-Production tenant.

    References:

  2. JoseMoreno-MSFT 41 Reputation points Microsoft Employee
    2025-11-18T09:23:39.1633333+00:00

    This issue cannot be solved, so I deployed my Arc servers in another subscription in a different tenant (my MSDN subscription).

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.