Overview of Problem
Users encounter login failures on Entra ID-joined machines with the error message: “This device must be joined to an approved domain to access Box.” This issue arises when the device trust setting “Device Ownership Requirements” is configured with a domain name instead of the Entra ID tenant ID, causing incorrect device identification.
Process for Resolution
- Log in to the Box Admin Console.
- Navigate to Enterprise Settings > Device Protection > Device Trust.
- Select the relevant policy and click Edit.
- Locate the Device Ownership Requirements item.
- Delete the current domain name and enter the Entra ID tenant ID.
- Click Save.
Outcome
The Device Trust Policy is updated to use the Entra ID tenant ID, allowing successful login on Entra ID-joined machines.
Alternatives
- Verify the Entra ID tenant ID is correctly entered.
- Ensure the device is properly joined to the Entra ID domain.
- If you continue to experience any of the symptoms listed above, enable debug logging, reproduce the error, collect and submit Box Tools Logs, and open a support ticket at support.box.com for further assistance.