Forum Discussion

Brass Contributor

Jan 15, 2025

CA policy for corporate devices

I would like to create a conditional access policy to block all non corporate devices from accessing Office 365 resources. I created a policy: Applies to -> User Group Applies to -> all resources ...

Azure AD

Identity

Ankido

Iron Contributor

Jan 15, 2025

Hello Ahmed,

1- You can check the issue by going to Entra ID, selecting which user is a member of the group, and checking if the login failed due to Conditional Access. In the sign-in logs, Microsoft provides all the data, including the reasons for both successful and failed sign-in

2- Based on what you described, it seems like you might have overlooked something here.

Under the condition where you selected **Device - Windows**, there’s an option called **Client Apps**. In that section, you can check if browsers are also blocked, similar to what is shown in the screenshot.

2- In the filter, which options did you use: include or exclude? Did you mind if you provide me with the query?

Let me know if this resolves the issue

AhmedSHMK

Brass Contributor

Jan 16, 2025

Regarding sign-in logs, the below occurs(This only happens on browsers):

Ankido
Iron Contributor
Jan 16, 2025

Hi Ahmad, it looks good, but I noticed that in your filter, you have excluded machines that are compliant. This means that if machines are not compliant, Conditional Access will apply. Is the machine you are using compliant?

Let me know if this resolves the issue
- AhmedSHMK
  Brass Contributor
  Jan 17, 2025
  Multiple Filters were tested, Instead of compliance, I used ownership and set it to company for corporate devices to be excluded.
  Device is indeed compliance. And sign in works fine from Desktop apps. Issue is only in the browser. Wondering if SSO in the browser has something to do with it, Or maybe certain versions of chrome/firefox is not supported.