This message was deleted.

Does “dsregcmd /leave & dsregcmd /join” fix the issue on a single device?

Server 2016 has a limited functionality set. I'll send you the differences later.

dsregcmd /leave and /join does not fix it on single device. I keep banging my head that this is an app issue, as both Edge/Chrome can gain SSO into office.com from browser, as EntraID shows the proper device join-type (so I pass CA). "Only happens on Citrix" is the wording I've been given.

Do you use FAS? Does it happen also via RDP or only via HDX? Netscaler or Workspace? I assume you're using Citrix Cloud

No FAS; both via RDP and HDX and via Gateway and Direct to SF.

Are we talking about Server2016 or W10 Multisession?

Both. I was able to reproduce the issue this morning on a standalone Azure VM with no Citrix installed. The app is linking an enterprise app, SSO, URL, and within the app itself it’s not passing device info/join type so customers conditional access policy is saying fine require MFA. The fact that I can do this on a standalone VM now will allow me to point it back to the app owner.