AzureAD Conditional access rules ignore exclude extension attribute filter
When filtering for devices the ExtensionAttribute rule is ignored, both policies seem to always apply regardless of the extensionAttribute that's set.
You can reproduce this behavior in the whatif tool.
Policy #1
"deviceFilter": {
"mode": "exclude",
"rule": "device.extensionAttribute3 -ne "MFA Allowed""
},
Policy #2
"deviceFilter": {
"mode": "exclude",
"rule": "device.extensionAttribute3 -eq "MFA Allowed""
},
Reproduce:
Create the two policies
Go to whatif tool
Set device extension attribute3 to MFA Allowed
Only Policy 1 should apply.
Clear device extension attribute 3
Only policy 2 should apply.
Actual behavior:
Both policies always apply.