Conditional Access Policy to block windows 7, 8 etc

Question

Hello,

I am trying to block outdated OS (Windows XP, Windows 7, Windows 8.1 etc) from logging in Microsoft related platforms (office.com , Teams etc). I tried creating a conditional access policy applying device filters such as: "operatingSystem equals to windows" and "operatingSystemVersion starts with 10" etc. Unfortunately this policy only applies to devices registered to Azure since the unregistered device have no such attributes for Azure platform, making them a "black box". I would like to create a policy that will also apply to any device trying to sign in to Microsoft platforms (including personal devices etc).

As i can see from sign in logs that the only known information to Azure for unregistered devices is location(ip, geolocation etc) and device platform (windows, android etc) but you cannot create a windows/version ruler using these information.

Any suggestions?

Thanks!

Answer 1

Hello,

Unfortunately it does not work. Azure knows nothing regarding operatingSystem or OperatingSystemVersion for an unregistered device. Thus the condition never matches and the device is always getting blocked (even windows 10 devices). Only information Azure gets for an unregistered device is Device platform in general (it doesnt work for what i am trying to do because all windows devices are getting blocked) or Location (it doesnt work as well because its irrelevant to windows versions). Any other suggestions?

Answer 2

Hi @43101368

You can actually achieve that by creating the Policy with a negative operator as our documentation states:

Try to use the same rule present on the documentation by using the NotStartWith instead and let us know if that works for you

https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-condition-filters-for-devices#common-scenarios

Thanks,

Fabio