question

KamranAhmed-4820 avatar image
0 Votes"
KamranAhmed-4820 asked KamranAhmed-4820 commented

Conditional Access Policy and Azure AD Registered Devices

Hi All, Really looking for some answers, i have been bashing my head for the last few days on this.

We have a requirement to block Teams from external / non-domain joined devices except if a member of a group with MFA, however the policy must not prompt for MFA from a 'domain joined' device when a user opens Teams off the network (non-trusted location). Note these devices are on-premise AD joined and Azure AD Registered.

I have created the following policy to allow domain joined devices;

  1. Assignments

    a. Users and group - All users

    b. Cloud Apps: Teams

    c: Condition>i: Locations: Any locations (exclude all trusted) ii: Device State: Exclude Hybrid Azure AD joined

  2. Access Control

    a. Grant: Block access

I can't access teams from a domain joined device with the above policy in place. Looking at the sign-in logs access is blocked (you cannot access this right now, your sign-in was successful, but doesn't meet the criteria)

Now i would have thought setting the 'Device State' to 'Exclude Hybrid Azure AD Joined' would allow me to access Teams from a domain joined device from anywhere.

azure-active-directory
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered tarouchabi-7271 commented

@KamranAhmed-4820 On-premise AD joined devices which are Azure AD Registered, are not Hybrid Azure AD Joined. Those devices are considered as Azure AD Registered only. So the condition "Exclude Hybrid Azure AD Joined" is not applicable for those devices.

If you navigate to Azure Portal > Azure AD > Devices and search for the device, what join type do you see? Is it Hybrid Azure AD Joined or Azure AD Registered? If the join type for devices is Azure AD Registered, you would need to configure Hybrid Azure AD join as per the documents below:

Please "Accept as answer" wherever the information provided helps you to help others in the community.




· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KamranAhmed-4820 avatar image KamranAhmed-4820 ·

Thanks for the clarity @amanpreetsingh-msft , your input is appreciated. I did further testing and found the same. It means we can start planning the Hybrid configuration.

0 Votes 0 ·