Authorizing only properly tagged resources for Autopilot provisioning

Alberto Fumagalli 1 Reputation point

Hello, I need to create a conditional access policy for Windows OS, that allows the Microsoft Intune Enrollment app if and only if the provisioning machine has been registered and provided with a specific tag (e.g.: COMP-HYBRID). To achieve this goal I created the following CAP:

  • Target user group = EMS_Licensed_Users
  • Target resource = Selected app -> Microsoft Intune Enrollment
  • Conditions
  1. Device platform = Windows
  2. Filter for devices = Included filtered devices ; Rule = device.physicalIds -notContains "[OrderId]:COMP-HYBRID"
  • Grant = Block Access

Unfortunately, such rule doesn't work as expected, because after the sign-in the rule is applied to not properly tagged resources and to properly tagged too.

Any suggestion?
Thanks in advance!!!

Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
424 questions
Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,286 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,129 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Navya 5,490 Reputation points Microsoft Vendor

    Hi @Alberto Fumagalli

    Thank you for posting this in Microsoft Q&A.

    The problem with your conditional access policy seems to be that the device filter is not properly excluding devices without the specified tag. The device.physicalIds attribute is not the right one to use for this. Instead, try using the device.devicePhysicalIds attribute to filter devices according to your tags.

    Here's an example of how you can do this.

    Target user group = EMS_Licensed_Users

    Target resource = Selected app -> Microsoft Intune Enrollment

    Conditions Device platform = Windows Filter for devices = Included filtered devices; Rule = device.devicePhysicalIds -any (_ -contains "COMP-HYBRID")

    Grant = Allow Access

    This policy will allow access to the Microsoft Intune Enrollment app only if the device has been registered and has the tag "COMP-HYBRID". The device.devicePhysicalIds attribute is used to filter devices based on their tags, and the -any operator is used to check if any of the tags on the device contains the specified value.

    Hope this helps. Do let us know if you any further queries.