Forum Discussion
Conditional Access for Azure AD ONLY joined devices
All my user mobile devices (Windows based) are Azure AD joined (no hybid)
The requirement is to allow access to online resources from these devices ONLY & if external to trusted location then do MFA)
Internally (trusted location) allow access without MFA
There is NO combination of CA conditions that I can get it working this way
There is no option to specify AAD ONLY joined devices
I can NOT just chose in Grant "Require device to be marked as compliant" because some devices will not be compliant (due to how odd Sophos works from time to time, and the compliance is simply not quick enough to report correctly)
In Conditions/Filter for device I can select isCompliant, device Ownership, trustType but the whole process gets thrown out of the window based to Grant
So no matter what I set users still can access services from personal PC, as long as MFA is executed (which is already configured in separate policy anyway)
- Try using filters in EndPoint Manager/Intune https://learn.microsoft.com/en-us/mem/intune/fundamentals/filters
- SebCerazyIron Contributor?????
And what would that do to my Conditional Access in Azure?- CA checks the compliance policies. Don’t allow personal devices to be compliant.
- PhilR2020Copper ContributorHi, did you resolve this?