Conditional Access Policy to Restrict 365 Access

David Oh 5 Reputation points

Hello, I'm looking to implement a new conditional access policy (CAP from hereon out) with the following parameters:

  • Users can sign in only if they have a hybrid joined Windows machine
  • Their mobile device (iOS or Android) must have a serial number listed in our approved list (BYOD only) A few things:
  • I can't find a place to enter the serial number of the device. I found a tutorial online but I must add the device to Intune first. I'd rather not since these are BYOD
  • For my CAP, I have the following setup:
    • Users: specific users (just as a test)
    • Conditions: Device platforms: Windows, Linux, macOS; Client apps, everything is selected.
      • There's a checkbox that says "Mobile apps and desktop clients". If I check this then it allows me to sign on with any IOS and Android device. If I uncheck this then it disallows my Outlook on my Windows device which isn't what I want. Is there another way to do this?
Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
3,973 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Zeeshan Nasir Bajwa 661 Reputation points Student Ambassador

    Hi Park, It sounds like you are trying to implement a conditional access policy in Microsoft Azure Active Directory that restricts access to certain resources based on specific conditions. To enforce the requirement that users can only sign in with a hybrid joined Windows machine, you can use the "Device state" condition and select "Hybrid Azure AD joined" as the requirement. This will ensure that only devices that meet this criterion will be allowed to access the resource. As for the requirement that mobile devices must have a serial number listed in your approved list, you can achieve this by using the "Device platform" condition and selecting "iOS" and "Android" as the platforms. Then, under the "Approved client app" option, select "Other clients" and enter the serial numbers of the approved devices. This will ensure that only mobile devices with the approved serial numbers will be allowed to access the resource. Regarding the issue with the "Mobile apps and desktop clients" checkbox, this setting allows or denies access based on the client app being used to access the resource. If you uncheck this option, it will block access to all mobile apps, including Outlook on iOS and Android. To achieve your desired outcome, you can create separate conditional access policies for Windows, iOS, and Android devices to enforce the different access requirements. Overall, it's important to carefully consider your requirements and test your policies thoroughly to ensure that they are effective and do not inadvertently block legitimate access to resources.

    0 comments No comments

  2. James Hamil 22,431 Reputation points Microsoft Employee

    Hi @Michael Park ,to create a Conditional Access policy with the specified parameters, you can follow these steps:

    1. In the Azure portal, navigate to Azure Active Directory > Security > Conditional Access.
    2. Click New policy.
    3. Give your policy a name and select the specific users you want to apply the policy to.
    4. Under Cloud apps or actions, select All cloud apps.
    5. Under Conditions > Device platforms, set Configure to Yes and include Windows, Linux, and macOS.
    6. Under Conditions > Client apps, set Configure to Yes and select all options except Exchange ActiveSync clients.
    7. Under Access controls > Grant, select Grant access and choose Require Hybrid Azure AD joined device. However, for the mobile device serial number requirement, there isn't a built-in option in Conditional Access to directly filter based on serial numbers. You would need to use Intune or another device management solution to manage and enforce policies based on device serial numbers. Regarding the issue with the "Mobile apps and desktop clients" checkbox, it's not possible to differentiate between Windows devices and mobile devices using the client apps condition alone. You would need to create separate policies for Windows devices and mobile devices to achieve the desired behavior. Please let me know if you have any questions and I can help you further. If this answer helped you please mark it as "Verified" so other users can reference it. Thank you, James
    0 comments No comments