Thank you for posting this in Microsoft Q&A.
The problem with your conditional access policy seems to be that the device filter is not properly excluding devices without the specified tag. The device.physicalIds
attribute is not the right one to use for this. Instead, try using the device.devicePhysicalIds
attribute to filter devices according to your tags.
Here's an example of how you can do this.
Target user group = EMS_Licensed_Users
Target resource = Selected app -> Microsoft Intune Enrollment
Conditions Device platform = Windows Filter for devices = Included filtered devices; Rule = device.devicePhysicalIds -any (_ -contains "COMP-HYBRID")
Grant = Allow Access
This policy will allow access to the Microsoft Intune Enrollment app only if the device has been registered and has the tag "COMP-HYBRID". The device.devicePhysicalIds
attribute is used to filter devices based on their tags, and the -any
operator is used to check if any of the tags on the device contains the specified value.
Hope this helps. Do let us know if you any further queries.
Thanks,
Navya.