Issues trying to block non Azure AD Hybrid Joined devices from accessing Office 365

%3CLINGO-SUB%20id%3D%22lingo-sub-1850945%22%20slang%3D%22en-US%22%3EIssues%20trying%20to%20block%20non%20Azure%20AD%20Hybrid%20Joined%20devices%20from%20accessing%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1850945%22%20slang%3D%22en-US%22%3E%3CP%3EHere%20is%20what%20I'm%20trying%20to%20accomplish.%20Right%20now%20we%20have%20domain%20joined%20devices%20that%20are%20Azure%20AD%20hybrid%20joined%20as%20well.%20I%20want%20to%20create%20a%20conditional%20access%20policy%20that%20will%20block%20access%20to%20Office%20365%20web%20if%20a%20device%20is%20not%20Azure%20AD%20hybrid%20joined.%20I've%20created%20a%20policy%20and%20put%20the%20details%20below.%20Right%20now%20it's%20just%20blocking%20Office%20365%20web%20access%20on%20all%20devices%20and%20it%20doesn't%20care%20whether%20it's%20hybrid%20joined%20or%20not.%20What%20am%20I%20missing%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAssignments%3A%3C%2FP%3E%3CUL%3E%3CLI%3EUsers%20and%20groups%20-%20One%20test%20user%20assigned%3C%2FLI%3E%3CLI%3ECloud%20apps%20or%20actions%20-%20Include%20-%20Office%20365%3C%2FLI%3E%3CLI%3EConditions%20-%20Device%20Platforms%20-%20Include%20Any%20Device%2F%20Exclude%20Android%2FiOS%2FmacOS%3C%2FLI%3E%3C%2FUL%3E%3CP%3EAccess%20Controls%3C%2FP%3E%3CUL%3E%3CLI%3EGrant%20-%20Grant%20Access%20-%20Require%20Hybrid%20Azure%20AD%20joined%20device%20-%20Require%20one%20of%20the%20selected%20controls%3C%2FLI%3E%3C%2FUL%3E%3CP%3ENothing%20else%20if%20filled%20out.%20Here%20is%20a%20picture%20of%20the%20sign%20ins%20through%20Azure%20AD%20showing%20the%20policy%20applying%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22JRedmond_1-1604435936240.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F231253i02425C1581B2E50E%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22JRedmond_1-1604435936240.png%22%20alt%3D%22JRedmond_1-1604435936240.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1850945%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConditional%20access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1861846%22%20slang%3D%22en-US%22%3ERe%3A%20Issues%20trying%20to%20block%20non%20Azure%20AD%20Hybrid%20Joined%20devices%20from%20accessing%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1861846%22%20slang%3D%22en-US%22%3E%3CP%3EAnyone%20have%20any%20thoughts%20here%3F%20Or%20does%20anyone%20have%20a%20recommendation%20for%20anotwhere%20I%20find%20an%20answer%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1864059%22%20slang%3D%22en-US%22%3ERe%3A%20Issues%20trying%20to%20block%20non%20Azure%20AD%20Hybrid%20Joined%20devices%20from%20accessing%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1864059%22%20slang%3D%22en-US%22%3EIt's%20important%20to%20know%20which%20browser%20you%20are%20trying%20this%20from.%3CBR%20%2F%3EIf%20you%20use%20Chrome%20you%20need%20the%20'Windows%2010%20accounts'%20extension%20in%20order%20for%20the%20browser%20to%20pass%20on%20it's%20hybrid%20joined.%3CBR%20%2F%3E%3CBR%20%2F%3EHave%20you%20checked%20the%20sign-in%20logs%20in%20order%20to%20verify%20what%20exactly%20is%20going%20wrong%3F%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Here is what I'm trying to accomplish. Right now we have domain joined devices that are Azure AD hybrid joined as well. I want to create a conditional access policy that will block access to Office 365 web if a device is not Azure AD hybrid joined. I've created a policy and put the details below. Right now it's just blocking Office 365 web access on all devices and it doesn't care whether it's hybrid joined or not. What am I missing?

 

Assignments:

  • Users and groups - One test user assigned
  • Cloud apps or actions - Include - Office 365
  • Conditions - Device Platforms - Include Any Device/ Exclude Android/iOS/macOS

Access Controls

  • Grant - Grant Access - Require Hybrid Azure AD joined device - Require one of the selected controls

Nothing else if filled out. Here is a picture of the sign ins through Azure AD showing the policy applying:

JRedmond_1-1604435936240.png

 

 

5 Replies

Anyone have any thoughts here? Or does anyone have a recommendation for another place where I might find an answer?

It's important to know which browser you are trying this from.
If you use Chrome you need the 'Windows 10 accounts' extension in order for the browser to pass on it's hybrid joined.

Have you checked the sign-in logs in order to verify what exactly is going wrong?
This is from Internet Explorer, the screenshot I included is from the Azure AD sign in logs. What else would you like to see?
Is it possible you didn't add the screenshot? Cant find it (might be because of mobile)

@JRedmond 

 

The first thing is that it's not possible for an Android or IOS device to be Azure AD Hybrid Joined. Am not 100% sure  about MacOS but I don't think it can be either. 

 

So any rule that says Compliant or Azure AD Hybrid Joined should suffice. I'm assuming you are trying to block Windows devices that are Azure AD Joined but not Hybrid Joined from accessing the Office 365 Web Services?   

 

I've set this up in a demo tenant with a Block rule where the following is set

 

Target Users A single test users

App Included Office 365

Conditions Device Platform included Windows (Nothing Else Selected)

Device State Include All Device States & Exclude Azure AD Hybrid Joined

Access Controls Grant is set to Block

 

When I run a whatif the rule is applied only when the specified user attempts to access the selected app from a Windows device. If the device is Azure AD Hybrid Joined it will be granted access otherwise it won't. Any other platform the policy is not applied

 

Is that somewhere close to what you were trying to achieve?