Conditional Access Policy and Azure AD Registered Devices

Question

Hi All, Really looking for some answers, i have been bashing my head for the last few days on this.

We have a requirement to block Teams from external / non-domain joined devices except if a member of a group with MFA, however the policy must not prompt for MFA from a 'domain joined' device when a user opens Teams off the network (non-trusted location). Note these devices are on-premise AD joined and Azure AD Registered.

I have created the following policy to allow domain joined devices;

Assignments a. Users and group - All users b. Cloud Apps: Teams c: Condition>i: Locations: Any locations (exclude all trusted) ii: Device State: Exclude Hybrid Azure AD joined
Access Control a. Grant: Block access

I can't access teams from a domain joined device with the above policy in place. Looking at the sign-in logs access is blocked (you cannot access this right now, your sign-in was successful, but doesn't meet the criteria)

Now i would have thought setting the 'Device State' to 'Exclude Hybrid Azure AD Joined' would allow me to access Teams from a domain joined device from anywhere.

Accepted Answer

@Kamran Ahmed On-premise AD joined devices which are Azure AD Registered, are not Hybrid Azure AD Joined. Those devices are considered as Azure AD Registered only. So the condition "Exclude Hybrid Azure AD Joined" is not applicable for those devices.

If you navigate to Azure Portal > Azure AD > Devices and search for the device, what join type do you see? Is it Hybrid Azure AD Joined or Azure AD Registered? If the join type for devices is Azure AD Registered, you would need to configure Hybrid Azure AD join as per the documents below:

-----------------------------------------------------------------------------------------------------------

Please "Accept as answer" wherever the information provided helps you to help others in the community.

Conditional Access Policy and Azure AD Registered Devices

0 additional answers