AADSTS50131: Device is not in required device state: known. Or, the request was blocked due to suspicious activity, access policy, or security policy decisions with WDATP

If you’re trying to use the Windows Defender Advanced Threat Protection through the API or through PowerBI and get an AADSTS50131 error, you’ll probably check your sign in logs to see if you’re being blocked by conditional access. If there’s nothing there, as I had the joy of discovering (tsk Microsoft, you really should log this) then check your classic policies and disable if present (old anyway):

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

4 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Tyler Frederick
Tyler Frederick
3 months ago

I just want to thank you for saving me from what would otherwise have been hours of trying to track this down. I came across this when trying to enable the Microsoft Sentinel connector for Microsoft Defender XDR. For the sake of Google keywords for anyone else looking for this, the user-side error thrown is a portal modal with “Interaction required. The portal encountered an issue while attempting to retrieve access tokens.”, followed by the same AADSTS50131 code.

Last edited 3 months ago by Tyler Frederick
Mahmood Bhimji
Mahmood Bhimji
6 hours ago

SO do not remove this Policy. It is used for Intergration between Intune and MDE. Blowing it away will cause more issue.

Instead exclude the user and remove the exclusion after.

Huw Lynch
Huw Lynch
3 years ago

Hi – just discovered the same problem. Are you sure this policy can simply be deleted? It was obviously put there for a reason and was requiring “Known” devices (whatever that means). If it’s important then I’d prefer to replace it with an equivalent modern policy.