Nov 14 2022 01:48 AM
All my user mobile devices (Windows based) are Azure AD joined (no hybid)
The requirement is to allow access to online resources from these devices ONLY & if external to trusted location then do MFA)
Internally (trusted location) allow access without MFA
There is NO combination of CA conditions that I can get it working this way
There is no option to specify AAD ONLY joined devices
I can NOT just chose in Grant "Require device to be marked as compliant" because some devices will not be compliant (due to how odd Sophos works from time to time, and the compliance is simply not quick enough to report correctly)
In Conditions/Filter for device I can select isCompliant, device Ownership, trustType but the whole process gets thrown out of the window based to Grant
So no matter what I set users still can access services from personal PC, as long as MFA is executed (which is already configured in separate policy anyway)
Nov 14 2022 02:27 PM
Nov 15 2022 01:02 AM
Nov 15 2022 01:26 AM
Nov 15 2022 01:43 AM
Nov 15 2022 02:19 AM
Nov 15 2022 02:23 AM
Nov 15 2022 03:30 AM
Nov 15 2022 04:46 AM
Logically that does not convince me. And that is one place where there is no tester available
To me for Block in Grant, in Device filtering this would make more sense:
Include device that "deviceOwnership Not equals Company" & "trustType Not equals Azure AD joined"
Nov 15 2022 04:56 AM
Nov 15 2022 05:06 AM
Jul 04 2023 11:10 PM
Dec 06 2023 05:14 PM
@SebCerazy Do you have any SSO enterprise applications? The CA you recommended works great but during the SSO there is NO device information so that login is blocked
Dec 07 2023 05:51 AM
Dec 07 2023 09:34 AM
Dec 08 2023 02:19 AM