Share via

Block specific devices from Azure cloud apps

jarweb 131 Reputation points
2023-08-06T12:04:56.2033333+00:00

Hi

As the title says, we want to block our users from using specific pcs/laptops from logging in to our work cloud apps - Office, Outlook etc. These will be computers which are company devices but NOT joined to Azure. We have asked staff who use any of these to contact us but there are still some in use but we don't know who is using them. We do have the Windows computer names of these as they are in our asset register. These computers log on to Windows with a generic local account and then staff can connect to our system with their "real" account. We need to remove the generic logons but can't see a way in Azure to determine who is logging on to these devices if they are not Azure joined.

I can see blogs and videos which say this can be done by blocking non-Azure Hybrid and Non Compliant devices. Our work devices are Azure joined but not hybrid - i.e. not joined to local A.D. Some of our Azure joined devices show as non-compliant for different reasons so we don't really want to block these as well. We know we need to check the compliance issues as a separate task.

We'd like to block by computer name, since we know these, but can't see a way to do this if the devices aren't in Azure. If we could do this then staff would be forced to contact us if they are using these devices as they would be blocked from signing in.

If we can just block all non-Azure joined devices that would be fine as this would cover personal devices as well, which we also don't want staff to use.

Hope that makes sense. In summary, we simply want to block staff from logging on to our cloud apps from any device that is not joined to our Azure AD.

Thanks

Azure Cloud Services
Azure Cloud Services
An Azure platform as a service offer that is used to deploy web and cloud applications.
769 questions
Microsoft Security Microsoft Entra Microsoft Entra ID
Microsoft Security Intune Other
Accepted answer
  1. JimmySalian-2011 42,486 Reputation points
    2023-08-06T19:19:57.6133333+00:00

    Hi Jarweb,

    I think this is possible as the requirement is complex you will need to test this on one of the devices and apply the Conditional Access policy to Report On initially and see the status if all okay you can change the policy to Enable.

    As per Microsoft "Azure AD uses device authentication to evaluate device filter rules. For a device that is unregistered with Azure AD, all device properties are considered as null values and the device attributes cannot be determined since the device does not exist in the directory. The best way to target policies for unregistered devices is by using the negative operator since the configured filter rule would apply. If you were to use a positive operator, the filter rule would only apply when a device exists in the directory and the configured rule matches the attribute on the device"

    Check the Policy behavior with filter for devices table and the status of the device is unregistered to you will have to use negative expressions to filter out the devices.

    Goodluck and hope it works for you.

    Hope this helps.

    JS

    ==

    Please accept as answer and do a Thumbs-up to upvote this response if you are satisfied with the community help. Your upvote will be beneficial for the community users facing similar issues.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.