cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Conditional Access - Block Access to Cloud Apps - Not Entra Joined Devices

Diogo Sousa
Iron Contributor

‎Dec 20 2023 01:05 PM

‎Dec 20 2023 01:05 PM

Conditional Access - Block Access to Cloud Apps - Not Entra Joined Devices

Hello everyone and greetings from Portugal,

I'm fairly new to Conditional Access, and I'm trying to create a policy to block access to cloud apps from devices that are not Azure/Entra Joined Devices.

 

For the conditions I'm excluding filtered devices as follows:
"Exclude filtered devices from policy"

 

The expression I'm using its:
device.trustType -eq "AzureAD"

 

I'm using report-only so I can check what would happen, and I'm getting a lot of failures, including Azure AD joined devices. The failed applications are:
Office365 Shell WCSS-Client
SharePoint Online Web Client Extensibility
Office Online Core SSO

 

It seems something related with how the users access the apps, like using Google Chrome but I can't really understand.

 

Can someone please help me with this?

 

Best Regards,
Diogo Sousa

Labels:
722 Views
0 Likes
2 Replies
Reply
2 Replies
rahuljindal-MVP

‎Dec 20 2023 02:14 PM

‎Dec 20 2023 02:14 PM

Re: Conditional Access - Block Access to Cloud Apps - Not Entra Joined Devices

If you look at sign-in logs, you should see the reason for failures.
0 Likes
Reply
juliansperling

‎Dec 22 2023 01:04 AM

‎Dec 22 2023 01:04 AM

Re: Conditional Access - Block Access to Cloud Apps - Not Entra Joined Devices

Hi Diego - There are still a lot of Browsers and Clients out there that are unable to Provide Entra ID Device Information. One Example I had recently i the Adobe Reader fat Client, where the application brings its own chromium framework to authenticate - we had to configure the app to instead use the os browser.
In such cases you should see that there is no device information in the sign-in log - even though the device used should be able to provide it.
For Third Party browser there are also usually additional Steps required - for example in chrome: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-condi...
0 Likes
Reply