This application contains sensitive information and can only be accessed from domain joined devices – Azure AD

This error message results from the application of a Conditional Access Policy on your tenant that blocks users from accessing cloud resources without a hybrid-joined device. A Hybrid-joined device is an AD-joined client which gets synchronized to Azure AD via Azure Active Directory Connect (AD Connect). This process enables you to make the device visible to Azure AD and lets you manage it with Intune.

If you are looking to understand which Conditional Access Policy is blocking users, check out this guide:

If this block has been triggered, you are probably synchronizing AD-joined devices to Azure AD. If the user is accessing the portal from an on-premise joined device, check if you are synchronizing said device and consider adding it to the right OU / add the right attribute to let it sync.

Once you are done, and the device is hybrid joined (or you’ve excluded the user from the CAP), the user will be able to access the resources.

Please note that the “Hybrid join check” type of access control is usually paired with a device compliance check. So expect a possible further block related to this. To learn more, visit: Get started with device compliance | Intune  or read my article:

To drill down on this type of Conditional Access Policy, check out this link:

Conditional Access: Require compliant or hybrid Azure AD joined device