Many administrators using Microsoft Entra ID (formerly Azure AD) and Conditional Access policies encounter a frustrating issue where compliant devices are unexpectedly blocked with:

Conditional Access Failure
Error Code: 53003
Device State: Unknown or Unregistered

This commonly happens when organizations enforce a Conditional Access (CA) policy that only allows sign-ins from compliant devices managed through Microsoft Intune.

The confusing part is:

• the same device appears compliant in other sign-ins,
• but specific applications suddenly show:
  • Device State Unknown
  • Device Identifier Not Available
  • Unregistered device status.

Here’s why this happens and how to fix it.

---

What Causes Conditional Access Error 53003?

The issue usually occurs because the application being used cannot pass device identity or compliance information to Entra ID during authentication.

Typical affected apps include:

• internal enterprise applications,
• Microsoft Graph-based tools,
• PowerShell,
• Azure Data Studio,
• embedded browsers,
• legacy authentication clients,
• or apps using internal web views.

In these cases:

• the app authenticates the user,
• but does not send device compliance information,
• so Conditional Access cannot verify device state.

As a result:

• the device appears as:
  • Unknown
  • Unregistered
  • or Not Available.

---

Common Error Details

Administrators often see errors similar to:

Error Code: 53003
Device State: Unregistered
Device Identifier: Not available
Device Platform: Windows 10
App Name: Office 365 Exchange Online

This means Entra ID could not associate the login with a compliant registered device.

---

Why Some Apps Show Device Compliance and Others Do Not

This happens because not all applications are PRT-aware.

PRT stands for:

Primary Refresh Token

The PRT is critical because it allows Entra ID to:

• identify the device,
• verify compliance through Intune,
• and apply device-based Conditional Access policies.

Applications such as:

• Edge,
• Outlook,
• managed Chrome,
• and Office apps,
  usually understand how to access and use the PRT.

Other apps do not.

---

How Conditional Access Determines Device Compliance

Device compliance is not directly sent by the app itself.

Instead:

1. The app authenticates the user
2. Entra ID checks whether a valid device ID exists
3. The device ID is verified through Intune
4. Compliance status is evaluated

If the device ID is missing:

• compliance cannot be checked,
• and Conditional Access blocks access.

---

How to Fix Conditional Access Error 53003

Below are the most effective solutions.

---

Fix 1: Use a PRT-Aware Browser

One of the most common causes is using:

• internal browsers,
• embedded web views,
• or unmanaged browsers.

These often cannot access the device’s Primary Refresh Token.

Recommended Browsers

Use:

• Microsoft Edge
• Google Chrome configured for Entra SSO
• Managed Outlook authentication

Avoid:

• embedded login windows,
• legacy web views,
• unsupported internal authentication browsers.

---

How to Fix Conditional Access Error 53003 in Chrome

If using Chrome:

• enable Windows Account extension,
• configure device authentication policies,
• ensure Chrome can access the PRT.

Without proper configuration:

• Chrome may authenticate users,
• but fail device-based Conditional Access checks.

---

Fix 3: Avoid Private or Incognito Sessions

Private browsing sessions usually cannot access the PRT.

That means:

• the device identity is unavailable,
• compliance cannot be evaluated,
• and Conditional Access fails.

Avoid:

• Incognito mode,
• InPrivate mode,
• isolated browser sessions.

---

Fix 4: Ensure Device Is Properly Registered

The device must be:

• Entra Joined,
• Hybrid Joined,
• or Entra Registered.

Check device registration status using:

dsregcmd /status

Look for:

AzureAdJoined : YES
DeviceAuthStatus : SUCCESS

If registration is broken, device compliance will fail.

---

Fix 5: Verify Intune Compliance

Even if the device is registered, compliance policies must still pass.

Check:

• Intune compliance status,
• device sync,
• last check-in time,
• and policy assignment.

A stale or inactive device may appear unknown.

---

Fix 6: Review Authentication Flow Used by the App

Some applications use authentication methods that bypass device-aware authentication.

For example:

• client credential flows,
• client secrets,
• or certificate-based workload identities.

These flows:

• authenticate applications,
• not user devices,
• so device compliance policies do not apply normally.

---

Fix 7: Avoid Apps Using Internal Embedded Browsers

Some internal enterprise apps use built-in authentication windows.

These internal browsers often:

• cannot access PRT,
• fail device registration checks,
• and trigger Error 53003.

Switching authentication to:

• system browser login,
• Edge,
• or managed browser authentication,
  often resolves the issue.

---

Why Edge Usually Works Better

Microsoft Edge is deeply integrated with Windows device authentication.

It can:

• access PRT automatically,
• pass device identity to Entra ID,
• and satisfy Conditional Access requirements more reliably.

That is why:

• Edge logins often succeed,
• while PowerShell or embedded apps fail.

---

Understanding PRT, Access Tokens, and Conditional Access

To troubleshoot Conditional Access effectively, it is important to understand:

• Primary Refresh Tokens (PRT),
• refresh tokens,
• access tokens,
• device registration,
• and Intune compliance evaluation.

Without valid device identity information:

• Entra ID cannot verify compliance,
• even if the device itself is fully compliant.

---

Final Thoughts

Conditional Access Error 53003 with:

Device State Unknown
Device State Unregistered

usually occurs because the application or browser cannot pass device identity information to Microsoft Entra ID.

The most effective fixes are:

• using PRT-aware browsers like Edge,
• avoiding private browsing,
• ensuring proper Entra registration,
• verifying Intune compliance,
• and avoiding embedded authentication browsers.