Forum Discussion

rossonero's avatar
rossonero
Copper Contributor
Feb 17, 2021

No user affinity - conditional access

I have a conditional policy that require the device to be compliant. But I have devices that have no user affinity so there is no compliance evaluted. Will they still fit in under compliance, so the ...
Intune
mobile device management (mdm)
Pa_D's avatar
Pa_D
Brass Contributor
Feb 19, 2021

rossonero 

When you say "No user affinity" do you mean, they are NOT logged in by any user or logged in with a common account like "Device Enrollment Manager (DEM)"?

 

In both these cases, CA will not be evaluated, so compliance is not calculated on them due to which it is not considered non-compliant.

rossonero's avatar
rossonero
Copper Contributor
Feb 19, 2021

Pa_D 

 

So all devices that have a system account should not be part of conditional access polices? - there is no workarround on this ?

  • rossonero's avatar
    rossonero
    Copper Contributor
    Feb 19, 2021

    rossonero 

     

    Can see that my devices with a system account fails the compliance, so also fails the conditional access.

    So how can I either add those devices to a compliance policy - or how can I exclude them?

    I could easily make a device group, but this will not work as exclusion in Conditional access, as it must be user based. And the user "system account" is not a azure account, so wondering what can be done.

     

    Guess that also non-user devices, should be able to be verified with compliance ?

    • Pa_D's avatar
      Pa_D
      Brass Contributor
      Feb 19, 2021

      rossonero 

      1) Please clarify "System Account" here. Did you mean Windows system account? if not what is it?

      2) From your description, you have targeted CA policy to user group. Is it correct?

      3) Which OS are you focusing here?

       

Resources