Creating new conditional access policy for corporate assets

%3CLINGO-SUB%20id%3D%22lingo-sub-1039963%22%20slang%3D%22en-US%22%3ECreating%20new%20conditional%20access%20policy%20for%20corporate%20assets%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1039963%22%20slang%3D%22en-US%22%3E%3CP%3EI%20want%20to%20create%20a%20new%20CA%20policy%20that%20grants%20access%20from%20corporate%20devices%20(windows%2CMAC%2C%20and%20iphones%20all%20are%20Azure%20hybrid%20joined%20or%20Azure%20registered%20)%20and%20if%20they%20are%20not%20using%20a%20corporate%20device%20it%20prompts%20for%20their%20MFA%20(text%20or%20authenticator%20app)%3C%2FP%3E%3CP%3EIt%20looks%20like%20my%20options%20in%20the%20Grant%20blade%20are%20for%20MFA%20or%20hybrid%20AD%20joined%20only.%20I%20don't%20think%20that%20includes%20Azure%20registered%20devices%3F%20correct%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eis%20it%20possible%20to%20included%20Azure%20registered%20devices%20in%20a%20policy%20to%20grant%20access%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1039963%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1041040%22%20slang%3D%22en-US%22%3ERe%3A%20Creating%20new%20conditional%20access%20policy%20for%20corporate%20assets%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1041040%22%20slang%3D%22en-US%22%3EThere%20is%20no%20option%20to%20include%20registered%20device%20that%20is%20correct.%3CBR%20%2F%3E%3CBR%20%2F%3EWhich%20kind%20of%20management%20do%20you%20do%20on%20registered%20devices%3F%3CBR%20%2F%3EIf%20you%20do%20MAM%20on%20those%2C%20you%20could%20require%20an%20app%20protection%20policy%20to%20be%20applied%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1041148%22%20slang%3D%22en-US%22%3ERe%3A%20Creating%20new%20conditional%20access%20policy%20for%20corporate%20assets%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1041148%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F461012%22%20target%3D%22_blank%22%3E%40Jason_Benway%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20have%20an%20option%20i%20CA%20to%20grant%2Fblock%20access%20depending%20on%20if%20a%20device%20meets%20compliance%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F159507iB7EEACF0D4A96317%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20could%20perhaps%20use%20this%20to%20set%20up%20a%20compliance%20policy%20that%20will%20apply%20on%20your%20other%20devices.%3C%2FP%3E%3CP%3EOnce%20the%20devices%20are%20compliant%20the%20will%20then%20be%20able%20to%20access%20your%20resources%2C%20and%20be%20prompted%20for%20MFA%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOr%20you%20could%20set%20up%20an%20app%20protection%20policy%20in%20MAM%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20RegardsOliwer%20Sj%C3%B6berg%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I want to create a new CA policy that grants access from corporate devices (windows,MAC, and iphones all are Azure hybrid joined or Azure registered ) and if they are not using a corporate device it prompts for their MFA (text or authenticator app)

It looks like my options in the Grant blade are for MFA or hybrid AD joined only. I don't think that includes Azure registered devices? correct?

 

is it possible to included Azure registered devices in a policy to grant access?

 

 

 

2 Replies
There is no option to include registered device that is correct.

Which kind of management do you do on registered devices?
If you do MAM on those, you could require an app protection policy to be applied?

Hello @Jason_Benway 

You have an option i CA to grant/block access depending on if a device meets compliance 

clipboard_image_0.png

 

You could perhaps use this to set up a compliance policy that will apply on your other devices.

Once the devices are compliant the will then be able to access your resources, and be prompted for MFA 

 

Or you could set up an app protection policy in MAM 

 

Kind Regards
Oliwer Sjöberg