Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Conditional Access for Azure AD ONLY joined devices

Iron Contributor

All my user mobile devices (Windows based) are Azure AD joined (no hybid)

The requirement is to allow access to online resources from these devices ONLY & if external to trusted location then do MFA)

Internally (trusted location) allow access without MFA


There is NO combination of CA conditions that I can get it working this way


There is no option to specify AAD ONLY joined devices


I can NOT just chose in Grant "Require device to be marked as compliant" because some devices will not be compliant (due to how odd Sophos works from time to time, and the compliance is simply not quick enough to report correctly)


In Conditions/Filter for device I can select isCompliant, device Ownership, trustType but the whole process gets thrown out of the window based to Grant


So no matter what I set users still can access services from personal PC, as long as MFA is executed (which is already configured in separate policy anyway)

17 Replies

And what would that do to my Conditional Access in Azure?
CA checks the compliance policies. Don’t allow personal devices to be compliant.
Personal devices (not Azure joined) are NEVER compliant, so that is not an issue!
But as explained, I can NOT chose just the compliance condition (because that does not work 100% every time, for reasons mentioned).
Well, if BYOD are never compliant the world would have issues right now. And what's up with the language? This is a community where people help each other.

I haven't heard of your third-party compliance issue before. Perhaps check with Sophos...

If filtering of any kind is not an option perhaps you need to look at Defender for Cloud Apps using an Access policy with a Block action.
Never mentioned any BYOD.
I think you are replying whatever comes to mind, without actually reading the original post.

I do not trust the compliance being 100% always every time. So cannot use this as one & only defining condition.
All I need is CA where access from AAD joined machine or do NOT access at all
No, I'm not... Forget about the filtering in Intune then and use the filtering in CA but the other way around. Block access and exclude company devices using negative operators (NotEquals, NotStartsWith, NotEndsWith, NotContains, NotIn) as positive operators assume the device exists in the directory.

Logically that does not convince me. And that is one place where there is no tester available
To me for Block in Grant, in Device filtering this would make more sense:
Include device that "deviceOwnership Not equals Company" & "trustType Not equals Azure AD joined"

I am mean you can use multiple expressions. And negative operators for personal devices (devices not in directory). This isn't Microsoft support you know. You should reach out to them instead and complain... Btw, use What if tool and/or report-only to get an idea what will happen.
There is no What-if tool in that very section (Filter for devices)
I been through the report-only, but real life just works faster

Hi, did you resolve this?

Yes, works fine




@Sebastian Cerazy  Do you have any SSO enterprise applications? The CA you recommended works great but during the SSO there is NO device information so that login is blocked

I sure use SSO (for MS services) and some others. True that some did not work (like Adobe Identity), so these got exempt
Duh. Thank you!!
so that works for that SSO app. Now i am finding that i get NO device info for
Office365 Shell WCSS-Client
Office 365 SharePoint Online

Are the stored windows creds getting passed through like the SSO app i added to the list. I dont want to exclude SPO.
For both I get:
Office365 Shell WCSS-Client
Office 365 SharePoint Online

Browser Edge 119.0.0
Operating System Windows10
Compliant Yes
Managed Yes
Join Type Azure AD joined

Maybe users are using Chrome without Microsoft 365 add-on?