Forum Discussion
CA policy for corporate devices
I would like to create a conditional access policy to block all non corporate devices from accessing Office 365 resources.
I created a policy:
Applies to -> User Group
Applies to -> all resources
Applies to -> Win 10
Filter for devices exception-> Ownership: company & trust type: Entra Hybrid joined.
Action: block
The above works fine for office desktop login, i.e. blocks non corporate devices and allows corporate devices.
However, a side effect is that sign ins from browser on a corporate device is still blocked.
8 Replies
From the Configuration above I say that you can just exclude the browsing or web-client access to ensure that that the browser access won't be counted and it won't affect the user experience if the browser access was needed to start with.
Ahmed Masoud
LinkedInWierd... I can't replicate this in my own lab.
What does "What if" under Conditional Access pane say?
my policy is getting excluded if I use EIDHJ and the device is Company owned, and is logged on from browser.
WhatIf says policy should not block connection. But I have an error stating it is detecting the device on browsers correctly for e.g. it says Win 10 instead of Win 11
Hello Ahmed,
1- You can check the issue by going to Entra ID, selecting which user is a member of the group, and checking if the login failed due to Conditional Access. In the sign-in logs, Microsoft provides all the data, including the reasons for both successful and failed sign-in
2- Based on what you described, it seems like you might have overlooked something here.
Under the condition where you selected **Device - Windows**, there’s an option called **Client Apps**. In that section, you can check if browsers are also blocked, similar to what is shown in the screenshot.
2- In the filter, which options did you use: include or exclude? Did you mind if you provide me with the query?
Let me know if this resolves the issue
-Regarding the option to unblock browsers, It is not possible because we need to block login to browsers too, It is not an option at least at the moment to use network as condition as some users might come into office to sign in then leave, etc....
-This is filter I used:
Regarding sign-in logs, the below occurs(This only happens on browsers):
Hi Ahmad, it looks good, but I noticed that in your filter, you have excluded machines that are compliant. This means that if machines are not compliant, Conditional Access will apply. Is the machine you are using compliant?
Let me know if this resolves the issue
