Forum Discussion

john66571's avatar
john66571
Brass Contributor
Dec 04, 2023

CA: Require compliant or hybrid Azure AD joined device

Hello Guys,
I have been trying to wrap my head around this Conditional Access policy.
I want a policy that is requiring Compliant or Hybrid-Joined device.
My settings:
Users: All users (excluded: guests and external consultants)
Apps: All apps
Grant: Compliant or Hybrid Joined device.

At first i selected no conditions as i wanted to cover everything, but i notice that some of cloud-only accounts could no longer use PIM in Azure (unless they came from compliant device) - So i made a dynamic group that excludes all onmicrosofts accounts (my cloud only external admins, consultants). It seems to also work if i exclude "browser" in conditions.
However, this got me thinking. Will i have to exclude perhaps 'intune enrollment' and any other applications? (intune enrollment as example as a device is not compliant until its enrolled, thus being blocked? Also, same goes for hybrid-joined which seems to take a while, but there is no app i can exclude for that).
Basically, what im asking is if you have any experience in this CA rule and what apps you had to exclude to make it work. Is it something im obviously missing here?

Thank you.

Resources