This application contains sensitive information and can only be accessed from domain joined devices – Azure AD

General information

This error message results from the application of a Conditional Access Policy on your tenant that blocks users from accessing cloud resources without a hybrid-joined device. A Hybrid-joined device is an AD-joined client which gets synchronized to Azure AD via Azure Active Directory Connect (AD Connect).

Another version of this error is:

Try signing in another way
To access your service, app, or website, you may need to sign in to Microsoft Edge using XX account

If you are looking to understand which Conditional Access Policy is blocking users, check out this guide:

How to check which Conditional Access Policy is blocking a user log-in – Azure AD

How to fix

• If the user is trying to access with a personal device, switching accounts (as suggested in the error message) won’t fix the issue. You’ll need a company owned device.
• If the user is trying to access it with a company device, then it’s either:
  • Using a personal account, or using the wrong company account. Click on Sign out and sign in with a different account, then sign in with the correct account.
  • Using the right company account, but using Chrome. If this is the case, follow the steps below.
  • Using the right company account on Edge (or on Chrome with the proper extension installed), but the device is not synchronized. To fix this, check if you are synchronizing said device and consider adding it to the right OU / add the right attribute to let it sync.

If you are using Chrome, you’ll either need the Windows Accounts or the Microsoft 365 extensions. These extensions allow Chrome to pass device-specific details. You can deploy the extension automatically using this registry key:

• Path: HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallForcelist
• Name: 1
• Type: REG_SZ (String)
• Data: ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx

Additional notes

Please note that the “Hybrid join check” type of access control is usually paired with a device compliance check. So expect a possible further block related to this.
To learn more, visit Get started with device compliance | Intune  or read my article on the related error:

This application contains sensitive information and can only be accessed from devices or client applications that meet management compliance policy – Azure AD

To drill down on this type of Conditional Access Policy, check out this link:

Conditional Access: Require compliant or hybrid Azure AD joined device

Sources

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions#chrome-support