Forum Discussion
Device filter in the conditional access policies
Dear Microsoft Entra Friends,
What is your experience with the device filter in the conditional access policies (Microsoft Entra ID)? The values of the attributes are not correct and therefore the policy is not processed correctly. This is confirmed in a "What If" test.
Kind Regards,
Tom Wechsler
4 Replies
- Thank you for your message. It's unfortunate that nothing is happening.
- Sandeep Deo
Microsoft
TomWechsler the actual
value stored in the directory for the trustType property on Entra ID deviceID is SetverAD for Microsoft Entra hybrid joined and AzureAD for Microsoft Entra join. So whereever we show these values in the UI we show user friendly names except in the actual deviceFilter rule where we have to translate to the what’s stored in the directory. You can also see this when creating dynamic device groups using deviceTrrustType property. As this doc https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership#rules-for-devices suggests the three values we support are ServerAD, AzureAD and Workplace. This should not cause any issues with how the policy is bending applied. I am curious on your statement that the policy is not processed due to this discrepancy. Can you elaborate more.
Thanks
- The device filters do not work if the TrustType is used in the conditional access policies. In several tests we have used the filter with Microsoft Entra Hybrid ID joined, but the CA has never worked. If we then worked with other attributes, it worked perfectly.
- You are correct. The case is wrong: Correct is "AzureAd" and "ServerAd". I reported that already months ago, unfortunately, nothing happened. Disappointing.
