Forum Discussion
Azure AD Conditional Access - Require Domain Joined Device
- Correct, that would be on-prem AD domain-join.
Why it's confusing is because it's possible to have on-prem AD domain-joined PCs automatically register and enroll with Azure AD.
An Azure AD joined machines will work with conditional access. You will just need to use the value of "Require device to be marked as compliant" This requires the device to be managed through Intune however and does not allow you to use only Azure AD joined machines that are not managed.
Hi,
Can you please elaborate further.
We have following requirement.
Only the devices issued by IT departmernt should be able to access SharePoint Online. How can I acheive this using conditional or compliance policies?
We don't have on prem AD.
Thanks,
The conditional access policy that checks for domain join membership of a machine is referring to on-premises AD, so if you do not have on-prem AD then you'll need to use other conditional access choices to achieve your goals.
One idea would be to enroll your IT computers in Intune and then use a compliance policy that checks for device 'health' (which relies on intune enrollment).
Another idea would be to put your IT computers behind a NAT that can be used for conditional access checking based on the external IP address of that NAT.
Hi Joe,
Thank you for the response.
Option of NAT wouldn't work as there are mobile workers.
Can you guide me more on enorllment, point to some documentation may be. Below is what should work if we can do with enrollment/compliance policy.
1. Restrict that only IT can enroll the devices.
2. Use a compliance policy that allows access only on enrolled devices.
Thanks,
For the first criteria, you would configure Azure AD's Device Settings to select only the IT users for the setting "Users may join devices to Azure AD"
For your second criteria, I recommend you configure conditional access based on Intune enrollment since as previously discussed, you do not meet requirements to perform domain join checking since these are not hybrid domain joined machines against on-prem AD. Per your request for documentation, I would advise that you review the following two articles:
and then in the next article, refer to the section "require device to be marked as compliant"
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-controls
