Device filter in the conditional access policies

Dear Microsoft Entra Friends, What is your experience with the device filter in the conditional access policies (Microsoft Entra ID)? The values of the attributes are not correct and theref...

Access Management

Active Directory (AD)

device management

Sandeep Deo

Microsoft

Jan 16, 2024

TomWechsler the actual

value stored in the directory for the trustType property on Entra ID deviceID is SetverAD for Microsoft Entra hybrid joined and AzureAD for Microsoft Entra join. So whereever we show these values in the UI we show user friendly names except in the actual deviceFilter rule where we have to translate to the what’s stored in the directory. You can also see this when creating dynamic device groups using deviceTrrustType property. As this doc https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership#rules-for-devices suggests the three values we support are ServerAD, AzureAD and Workplace. This should not cause any issues with how the policy is bending applied. I am curious on your statement that the policy is not processed due to this discrepancy. Can you elaborate more.

Thanks

TomWechsler

MVP

Jan 17, 2024

The device filters do not work if the TrustType is used in the conditional access policies. In several tests we have used the filter with Microsoft Entra Hybrid ID joined, but the CA has never worked. If we then worked with other attributes, it worked perfectly.

Forum Discussion

Device filter in the conditional access policies

Resources