![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 76%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EY%3C/text%3E%3C/svg%3E)
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,631 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Hi,
You should test something like this in conditional access:
Create one rule to block access to all cloud applications:
- All users except break glass accounts, except AAD group for desktop access, except AAD group for mobile access
- All Cloud Apps
- Any Device
- Block Access
Desktop access
- Selected AAD group with users, except break glass accounts
- All Cloud Apps
- Device platform: Windows
- Grant access, Require MFA or Require device to be marked as compliant
Mobile access
- Selected AAD group with users, except break glass accounts
- All Cloud Apps
- Device platform: Android, iOS
- Grant access, Require MFA or Require device to be marked as compliant
Please test this on a limited subset of users.
Best of luck,
Simon