cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Device filter in the conditional access policies

TomWechsler
MVP

‎Nov 29 2023 10:09 PM

‎Nov 29 2023 10:09 PM

Device filter in the conditional access policies

 

Dear Microsoft Entra Friends,

 

What is your experience with the device filter in the conditional access policies (Microsoft Entra ID)? The values of the attributes are not correct and therefore the policy is not processed correctly. This is confirmed in a "What If" test.

 

ca_1.pngca_2.pngca_3.png

 

Kind Regards,

Tom Wechsler

 

 

696 Views
0 Likes
4 Replies
Reply
4 Replies
MrAzureAD

‎Dec 01 2023 01:46 AM

‎Dec 01 2023 01:46 AM

Re: Device filter in the conditional access policies

You are correct. The case is wrong: Correct is "AzureAd" and "ServerAd". I reported that already months ago, unfortunately, nothing happened. Disappointing.
0 Likes
Reply
TomWechsler

‎Dec 01 2023 04:37 AM

‎Dec 01 2023 04:37 AM

Re: Device filter in the conditional access policies

Thank you for your message. It's unfortunate that nothing is happening.
0 Likes
Reply
Sandeep Deo

‎Jan 16 2024 08:29 AM

‎Jan 16 2024 08:29 AM

Re: Device filter in the conditional access policies

@TomWechsler the actual

value stored in the directory for the trustType property on Entra ID deviceID is SetverAD for Microsoft Entra hybrid joined and AzureAD for Microsoft Entra join. So whereever we show these values in the UI we show user friendly names except in the actual deviceFilter rule where we have to translate to the what’s stored in the directory. You can also see this when creating dynamic device groups using deviceTrrustType property. As this doc https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership#rules-for-devices suggests the three values we support are ServerAD, AzureAD and Workplace. This should not cause any issues with how the policy is bending applied. I am curious on your statement that the policy is not processed due to this discrepancy. Can you elaborate more.

 

Thanks

0 Likes
Reply
TomWechsler

‎Jan 16 2024 09:47 PM

‎Jan 16 2024 09:47 PM

Re: Device filter in the conditional access policies

The device filters do not work if the TrustType is used in the conditional access policies. In several tests we have used the filter with Microsoft Entra Hybrid ID joined, but the CA has never worked. If we then worked with other attributes, it worked perfectly.
0 Likes
Reply