Forum Discussion
Conditional Access - Block Access to Cloud Apps - Not Entra Joined Devices
Hello everyone and greetings from Portugal,
I'm fairly new to Conditional Access, and I'm trying to create a policy to block access to cloud apps from devices that are not Azure/Entra Joined Devices.
For the conditions I'm excluding filtered devices as follows:
"Exclude filtered devices from policy"
The expression I'm using its:
device.trustType -eq "AzureAD"
I'm using report-only so I can check what would happen, and I'm getting a lot of failures, including Azure AD joined devices. The failed applications are:
Office365 Shell WCSS-Client
SharePoint Online Web Client Extensibility
Office Online Core SSO
It seems something related with how the users access the apps, like using Google Chrome but I can't really understand.
Can someone please help me with this?
Best Regards,
Diogo Sousa
- Hi Diego - There are still a lot of Browsers and Clients out there that are unable to Provide Entra ID Device Information. One Example I had recently i the Adobe Reader fat Client, where the application brings its own chromium framework to authenticate - we had to configure the app to instead use the os browser.
In such cases you should see that there is no device information in the sign-in log - even though the device used should be able to provide it.
For Third Party browser there are also usually additional Steps required - for example in chrome: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions#chrome-support - If you look at sign-in logs, you should see the reason for failures.
