AzureAD Conditional access rules ignore exclude extension attribute filter

Jeremy Pot 16 Reputation points

When filtering for devices the ExtensionAttribute rule is ignored, both policies seem to always apply regardless of the extensionAttribute that's set.

You can reproduce this behavior in the whatif tool.

Policy #1
"deviceFilter": {
"mode": "exclude",
"rule": "device.extensionAttribute3 -ne "MFA Allowed""

Policy #2
"deviceFilter": {
"mode": "exclude",
"rule": "device.extensionAttribute3 -eq "MFA Allowed""

Create the two policies
Go to whatif tool
Set device extension attribute3 to MFA Allowed
Only Policy 1 should apply.

Clear device extension attribute 3
Only policy 2 should apply.

Actual behavior:
Both policies always apply.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,852 questions
{count} votes