Forum Discussion

JRedmond's avatar
JRedmond
Copper Contributor
Nov 03, 2020

Issues trying to block non Azure AD Hybrid Joined devices from accessing Office 365

Here is what I'm trying to accomplish. Right now we have domain joined devices that are Azure AD hybrid joined as well. I want to create a conditional access policy that will block access to Office 3...
azure active directory
Conditional Access
microsoft intune
PeterJ_Inobits's avatar
PeterJ_Inobits
Iron Contributor
Nov 16, 2020

JRedmond 

 

The first thing is that it's not possible for an Android or IOS device to be Azure AD Hybrid Joined. Am not 100% sure  about MacOS but I don't think it can be either. 

 

So any rule that says Compliant or Azure AD Hybrid Joined should suffice. I'm assuming you are trying to block Windows devices that are Azure AD Joined but not Hybrid Joined from accessing the Office 365 Web Services?   

 

I've set this up in a demo tenant with a Block rule where the following is set

 

Target Users A single test users

App Included Office 365

Conditions Device Platform included Windows (Nothing Else Selected)

Device State Include All Device States & Exclude Azure AD Hybrid Joined

Access Controls Grant is set to Block

 

When I run a whatif the rule is applied only when the specified user attempts to access the selected app from a Windows device. If the device is Azure AD Hybrid Joined it will be granted access otherwise it won't. Any other platform the policy is not applied

 

Is that somewhere close to what you were trying to achieve?      

Resources