When a device is Workplace Joined by using the Microsoft Azure Device Registration Service (DRS), a sync-latency occurs when synchronizing the device object back to the on-premises directory.
In this situation, when the user of that device tries to authenticate through Active Directory Federation Services (ADFS) to gain access to some resources (for example, Office 365 resources like SharePoint, Exchange Online), ADFS will block that authentication, because there is no device object in the on-premises directory.
In another situation, the ADFS server administrator decides to disable the back-sync function. Here, the device object will also not exist in the on-premises directory. This causes the same blocked authentication for the user on the Workplace Joined device.
In this situation, when the user of that device tries to authenticate through Active Directory Federation Services (ADFS) to gain access to some resources (for example, Office 365 resources like SharePoint, Exchange Online), ADFS will block that authentication, because there is no device object in the on-premises directory.
In another situation, the ADFS server administrator decides to disable the back-sync function. Here, the device object will also not exist in the on-premises directory. This causes the same blocked authentication for the user on the Workplace Joined device.