Forum Discussion
Conditional Access for Azure AD ONLY joined devices
All my user mobile devices (Windows based) are Azure AD joined (no hybid) The requirement is to allow access to online resources from these devices ONLY & if external to trusted location then do MFA...
Well, if BYOD are never compliant the world would have issues right now. And what's up with the language? This is a community where people help each other.
I haven't heard of your third-party compliance issue before. Perhaps check with Sophos...
If filtering of any kind is not an option perhaps you need to look at Defender for Cloud Apps using an Access policy with a Block action.
I haven't heard of your third-party compliance issue before. Perhaps check with Sophos...
If filtering of any kind is not an option perhaps you need to look at Defender for Cloud Apps using an Access policy with a Block action.
Never mentioned any BYOD.
I think you are replying whatever comes to mind, without actually reading the original post.
I do not trust the compliance being 100% always every time. So cannot use this as one & only defining condition.
All I need is CA where access from AAD joined machine or do NOT access at all
I think you are replying whatever comes to mind, without actually reading the original post.
I do not trust the compliance being 100% always every time. So cannot use this as one & only defining condition.
All I need is CA where access from AAD joined machine or do NOT access at all
- No, I'm not... Forget about the filtering in Intune then and use the filtering in CA but the other way around. Block access and exclude company devices using negative operators (NotEquals, NotStartsWith, NotEndsWith, NotContains, NotIn) as positive operators assume the device exists in the directory.
Logically that does not convince me. And that is one place where there is no tester available
To me for Block in Grant, in Device filtering this would make more sense:
Include device that "deviceOwnership Not equals Company" & "trustType Not equals Azure AD joined"- I am mean you can use multiple expressions. And negative operators for personal devices (devices not in directory). This isn't Microsoft support you know. You should reach out to them instead and complain... Btw, use What if tool and/or report-only to get an idea what will happen.