This preview feature is being deprecated. Customers should use Filter for devices condition in Conditional Access to satisfy scenarios, previously achieved using device state (preview) condition.

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions#device-state-preview

Just to add my 2 cents and personal experience related to conditional access. Over the past several months I have noticed that occasionally a mobile device will get a seemingly “new” IPv6 issued from the phone carrier and it “will” cause false positives, first hand experience here. When that happens, the session is blocked for the user and email on phone does not work, obviously, this depends on how you have the CA setup either to block or to prompt for MFA. Anyway, when the “new” IPv6 issued to the device the location can not be pinpointed and therefor the access is blocked, in our case. So this may be something to consider in your troubleshooting steps. I hope it helps.

Ps. I think you might find this an interesting article on conditional access: https://www.christiaanbrinkhoff.com/2018/08/31/deliver-citrix-and-office-365-applications-secure-by-using-conditional-access-in-workspace-365/

Interesting. It certainly seems to coincide with the CA policies breaking for multiple tenants here, but I’ll keep testing it out. Maybe something else was happening as well.

Do you see the new device state preview feature in your tenant as well?

In my company we use the same access control as you did in the referenced article:
– Require multi-factor authentication
– Require device to be marked as compliant
– Require Hybrid Azure AD joined device

+ Require one of the selected controls

However, we don’t use Locations condition as you are and we don’t experience the issue reported. There is no need to configure Device state condition to exclude Compliant/Hybrid Azure AD joined devices.

With regards,
Dinko