Share via

Conditional access user action: Register or Join device require MFA, will this apply for Hybrid Entra ID Joined?

Sergio Londono 886 Reputation points
2024-08-07T23:15:03.01+00:00

Hello team,

I am setting up a conditional access policiy with user action "Register or join devices", the documentation inform that this apply for Entra ID registered and Entra ID Joined, However, just to be 100% sure, will this user action apply also when the user try to join the device in a hybrid environment?

Microsoft Azure Home > Conditional Access Policies New Conditional Access policy Control access based on Conditional Access policy to bring signals together, to make decisions, and enforce organizational policies. Learn more ei- Name MFA to register new device Control access based on who the policy will apply to, such as users and groups, workload identities, directory roles, or external guests. Learn more ei- Include Exclude Assignments O Users All users C, Target resources 1 user action included Network' NEW' O Not configured O Conditions O conditions selected Access controls rant O O controls selected Session O O controls selected Enable policy Report-only Create None All users Select users and groups Select what this policy applies to User actions Select the action this policy will apply to Re ister secur information Register or join devices Require authentication strength Multifactor authentication To enable all authentication O Off strengths, configure cross-tenant access settings to accept claims coming from Microsoft Entra tenants for external users. Authentication strengths will only configure second factor authentication for external users. Learn more

Will this Conditional access policy affect Microsoft Entra hybrid joined?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Accepted answer
  1. Raja Pothuraju 23,465 Reputation points Microsoft External Staff Moderator
    2024-08-08T01:58:19.2966667+00:00

    Hello @Sergio Londono,

    Thank you for posting your query on Microsoft Q&A.

    Regarding your setup of a conditional access policy with the user action "Register or join devices" and requiring MFA, you inquired whether this applies to Entra hybrid join devices.

    This policy will only apply to Microsoft Entra registered devices and Microsoft Entra joined devices. It will not apply to Microsoft Entra Hybrid Join devices.

    User's image

    This policy is enforced based on the device join type. If the user action targets devices with the join type "Microsoft Entra Register" or "Microsoft Entra Join," then the policy will apply. However, for Microsoft Entra Hybrid devices, users do not perform any action such as logging in from Settings >> Accounts >> Access Work or School page. Instead, these devices are synced from on-premises to Entra via Entra Connect sync based on SCP configuration, making them Microsoft Entra Hybrid Join devices. Consequently, the conditional access policy will only apply to Microsoft Entra registered devices and Microsoft Entra joined devices.

    Reference documents:

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    Thanks,
    Raja Pothuraju.

    2 people found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 157.4K Reputation points MVP Volunteer Moderator
    2024-08-07T23:35:29.78+00:00

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.