Conditional Access Policy

Iron Contributor

I am currently auto registering my workstations with AZ via GPO so the workstations display in AAD as Hybrid joined.

 

I then have a policy applied to Exch-onLine that only computers that are Hybrid joined have mailbox access.  This is to stop Non-Firm computers from accessing Firm email.

 

The issue I am having is every so often a user will get a msg that they are block due to the computer not being Hybrid Joined.  When I check the users workstation i run DSMCMD.EXE /STATUS and the computer displays as Azure AD Joined.  I check the AZ portal and the computer is listed and AAD Hybrid joined. 

 

MS is telling me that the workstations now also need this option enabled in the GPO, 

"Enable automatic MDM enrollment using default Azure AD credentials. "

 

Which will now display the workstations as Mobile devices and will show up as either incompliance or not.  However the Conditional access policy is looking for the device to be Hybrid Joined.

So is this a new requirement or are they just having me jump through hoops for the heck of it?

 

Also wanted to add the I dont see this option in the Current GPPO used to register my workstations.

I am running domain funtion level of 2012 r2.  They are telling me its only available in server 2016.

 

 

 

4 Replies
The GPO you are referring to is to enroll a device into MDM and is only required if your CA policy requires compliant device. If you simply just want to allow/block access for hybrid ad joined then you dont need the GPO.

FYI - the GPO is part of the windows 10 1709 and later ADMX files
My guess is they may experience this issue when they are trying to access cloud resources through a browser which is not supported for device based conditional access and therefore cannot satisfy the requirement so gets blockedz
Thats what I thought, thank you. I will get back with them.
Agreed the user however was on the internal LAN and launching outlook 2016 which is why this threw me for a loop.