Hi All, Really looking for some answers, i have been bashing my head for the last few days on this.
We have a requirement to block Teams from external / non-domain joined devices except if a member of a group with MFA, however the policy must not prompt for MFA from a 'domain joined' device when a user opens Teams off the network (non-trusted location). Note these devices are on-premise AD joined and Azure AD Registered.
I have created the following policy to allow domain joined devices;
Assignments
a. Users and group - All users
b. Cloud Apps: Teams
c: Condition>i: Locations: Any locations (exclude all trusted) ii: Device State: Exclude Hybrid Azure AD joined
Access Control
a. Grant: Block access
I can't access teams from a domain joined device with the above policy in place. Looking at the sign-in logs access is blocked (you cannot access this right now, your sign-in was successful, but doesn't meet the criteria)
Now i would have thought setting the 'Device State' to 'Exclude Hybrid Azure AD Joined' would allow me to access Teams from a domain joined device from anywhere.