Policy applied allthough it shouldn't

Hi heinzelrumpel​ ,

Glad you tracked it down. Duplicate policies with the same control are easy to miss because the sign-in log shows the control firing without telling you which policy won unless you open the full list. Quick check next time symptoms contradict a configured filter: in the Entra admin center, go to Identity → Monitoring & health → Sign-in logs, open the sign-in event, and click the Conditional Access tab. Each applied policy shows as its own row with the result (Success, Not applied, Report-only). When two rows enforce the same control, the duplicate is your target.

One side note on the filter syntax itself: positive operators (-eq, -contains) don't match null device attributes, so an Exclude expression built on them silently fails for any device that doesn't have an Entra device object. Microsoft's persistent browser sample uses Include mode with -ne for that reason. Useful if a Server 2025 host ever ends up in scope without being registered, since Server 2025 isn't on the supported hybrid join OS list yet.