Azure AD join vs Azure hybrid joined devices (download policy problem)

%3CLINGO-SUB%20id%3D%22lingo-sub-2245418%22%20slang%3D%22en-US%22%3EAzure%20AD%20join%20vs%20Azure%20hybrid%20joined%20devices%20(download%20policy%20problem)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2245418%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20number%20of%20devices%20in%20our%20AD%20azure.%20We%20are%20migrating%20into%20hybrid%20Azure%20approach.%26nbsp%3B%3CBR%20%2F%3EFor%20now%20we%20migrated%20about%2020%25%20of%20devices%20that%20are%20hybrid%20joined%20now.%20Rest%20of%20them%20are%20Azure%20AD%20registed.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EMy%20machine%20is%20one%20of%20the%20machines%20that%20is%20already%20hybrid%20registered.%26nbsp%3B%3CBR%20%2F%3EI%20have%20set%20up%20a%20test%20policy%20in%20Conditional%20access%20accordingly%3A%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E-%26gt%3B%26nbsp%3B%20Users%20and%20groups%20-%20only%20my%20user%26nbsp%3B%3C%2FP%3E%3CP%3E-%26gt%3B%20Cloud%20apps%20-%26gt%3B%20o365%3C%2FP%3E%3CP%3E-%20%26gt%3B%20Condition%20-%26gt%3B%20Device%20state%20-%26gt%3B%20All%20device%20state%20and%20exclude%20Device%20marked%20as%20compliment%2C%20Device%20Hybrid%20Azure%20Joined%26nbsp%3B%3CBR%20%2F%3E-%26gt%3B%20Session%20-%26gt%3B%20Use%20Conditional%20access%20app%20control%20(blocks%20downloads%20(preview)%3CBR%20%2F%3E-*%20rest%20of%20settings%20are%20left%20as%20not%20configured%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3ENow%20the%20policy%20works%20and%20blocks%20downloads%20but%20it%20also%20block%20downloads%20from%20my%20company%20device%20(the%20one%20that%20is%20hybrid%20joined)%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EHow%20to%20troubleshoot%20this%20%3F%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2245418%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConditional%20access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

We have number of devices in our AD azure. We are migrating into hybrid Azure approach. 
For now we migrated about 20% of devices that are hybrid joined now. Rest of them are Azure AD registed. 

My machine is one of the machines that is already hybrid registered. 
I have set up a test policy in Conditional access accordingly: 

->  Users and groups - only my user 

-> Cloud apps -> o365

- > Condition -> Device state -> All device state and exclude Device marked as compliment, Device Hybrid Azure Joined 
-> Session -> Use Conditional access app control (blocks downloads (preview)
-* rest of settings are left as not configured 

Now the policy works and blocks downloads but it also block downloads from my company device (the one that is hybrid joined) 

How to troubleshoot this ? 

1 Reply
I think I finally have it working. For people who may struggle with the same problem , in the polices you have to specify client apps used. It looks like this is not getting selected by default.