
Hi Park, It sounds like you are trying to implement a conditional access policy in Microsoft Azure Active Directory that restricts access to certain resources based on specific conditions. To enforce the requirement that users can only sign in with a hybrid joined Windows machine, you can use the "Device state" condition and select "Hybrid Azure AD joined" as the requirement. This will ensure that only devices that meet this criterion will be allowed to access the resource. As for the requirement that mobile devices must have a serial number listed in your approved list, you can achieve this by using the "Device platform" condition and selecting "iOS" and "Android" as the platforms. Then, under the "Approved client app" option, select "Other clients" and enter the serial numbers of the approved devices. This will ensure that only mobile devices with the approved serial numbers will be allowed to access the resource. Regarding the issue with the "Mobile apps and desktop clients" checkbox, this setting allows or denies access based on the client app being used to access the resource. If you uncheck this option, it will block access to all mobile apps, including Outlook on iOS and Android. To achieve your desired outcome, you can create separate conditional access policies for Windows, iOS, and Android devices to enforce the different access requirements. Overall, it's important to carefully consider your requirements and test your policies thoroughly to ensure that they are effective and do not inadvertently block legitimate access to resources.