Forum Discussion
Conditional Access for Azure AD ONLY joined devices
All my user mobile devices (Windows based) are Azure AD joined (no hybid) The requirement is to allow access to online resources from these devices ONLY & if external to trusted location then do MFA...
Never mentioned any BYOD.
I think you are replying whatever comes to mind, without actually reading the original post.
I do not trust the compliance being 100% always every time. So cannot use this as one & only defining condition.
All I need is CA where access from AAD joined machine or do NOT access at all
I think you are replying whatever comes to mind, without actually reading the original post.
I do not trust the compliance being 100% always every time. So cannot use this as one & only defining condition.
All I need is CA where access from AAD joined machine or do NOT access at all
No, I'm not... Forget about the filtering in Intune then and use the filtering in CA but the other way around. Block access and exclude company devices using negative operators (NotEquals, NotStartsWith, NotEndsWith, NotContains, NotIn) as positive operators assume the device exists in the directory.
- There is no What-if tool in that very section (Filter for devices)
I been through the report-only, but real life just works faster - I am mean you can use multiple expressions. And negative operators for personal devices (devices not in directory). This isn't Microsoft support you know. You should reach out to them instead and complain... Btw, use What if tool and/or report-only to get an idea what will happen.
Logically that does not convince me. And that is one place where there is no tester available
To me for Block in Grant, in Device filtering this would make more sense:
Include device that "deviceOwnership Not equals Company" & "trustType Not equals Azure AD joined"