Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,630 questions
AzureAD Conditional access rules ignore exclude extension attribute filter
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 74%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
Jeremy Pot
21
Reputation points
When filtering for devices the ExtensionAttribute rule is ignored, both policies seem to always apply regardless of the extensionAttribute that's set.
You can reproduce this behavior in the whatif tool.
Policy #1
"deviceFilter": {
"mode": "exclude",
"rule": "device.extensionAttribute3 -ne "MFA Allowed""
},
Policy #2
"deviceFilter": {
"mode": "exclude",
"rule": "device.extensionAttribute3 -eq "MFA Allowed""
},
Reproduce:
Create the two policies
Go to whatif tool
Set device extension attribute3 to MFA Allowed
Only Policy 1 should apply.
Clear device extension attribute 3
Only policy 2 should apply.
Actual behavior:
Both policies always apply.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Sandeep G-MSFT 16,696 Reputation points Microsoft Employee2022-10-11T14:51:26.26+00:00 I have tried this in my lab and it is working as expected. I created 2 different policies as you had mentioned above.
When I use whatif tool and set extension attribute 3 as "MFA Allowed", policy one is getting applied. and when I use whatif tool without keeping the extension attribute 3 value, second policy is getting applied. Looks like there is something common that you might have configured in both policies at your side.
Sign in to comment