CA: Require compliant or hybrid Azure AD joined device

Brass Contributor

Hello Guys,
I have been trying to wrap my head around this Conditional Access policy.
I want a policy that is requiring Compliant or Hybrid-Joined device.
My settings:
Users: All users (excluded: guests and external consultants)
Apps: All apps
Grant: Compliant or Hybrid Joined device.

At first i selected no conditions as i wanted to cover everything, but i notice that some of cloud-only accounts could no longer use PIM in Azure (unless they came from compliant device) - So i made a dynamic group that excludes all onmicrosofts accounts (my cloud only external admins, consultants). It seems to also work if i exclude "browser" in conditions.
However, this got me thinking. Will i have to exclude perhaps 'intune enrollment' and any other applications? (intune enrollment as example as a device is not compliant until its enrolled, thus being blocked? Also, same goes for hybrid-joined which seems to take a while, but there is no app i can exclude for that).
Basically, what im asking is if you have any experience in this CA rule and what apps you had to exclude to make it work. Is it something im obviously missing here?

Thank you.

1 Reply

Hi @john66571,

you're definitely on the right track with your Azure AD Conditional Access policy. Here is my summary (analysis) regarding your question, hope it helps:

  1. Excluding Certain Apps:
    you're correct about excluding specific applications, such as Intune enrollment, from the policy. Since a device isn't compliant until it's enrolled, blocking such applications during the enrollment process might cause issues. Consider excluding these apps to ensure a smooth onboarding process.

  2. Hybrid Azure AD Join Delay:
    the delay you're experiencing with hybrid Azure AD join is expected. It may take some time for the device state to be updated in Azure AD after a device is hybrid joined.

  3. Excluding Certain Accounts:
    It's a good practice to exclude certain accounts, like cloud-only admins from your Conditional Access policies. This prevents unnecessary restrictions on their access.

  4. Setting the Policy to Report-Only:
    to confirm your settings and understand the potential impact of the Conditional Access policies, you can initially set the policy to Report-only. This way, you can analyze the results and make necessary adjustments before enabling the policy.

Set up device-based Conditional Access policies with Intune - Microsoft Intune | Microsoft Learn


Require compliant, hybrid joined devices, or MFA - Microsoft Entra ID | Microsoft Learn

Require administrators use compliant or hybrid joined devices - Microsoft Entra ID | Microsoft Learn

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.

If the post was useful in other ways, please consider giving it Like.

Kindest regards,

Leon Pavesic