Conditional Access Policy - Block Unmanaged Windows devices from accessing Azure resources

DoTheHustle 0 Reputation points
2024-11-12T23:36:42.81+00:00

Goal: Block any non-company issued Windows devices from accessing company resources in our Entra environment. Ideally anyone on an unmanaged computer should not even be able to open Outlook on the web. We want to Block any Registered devices and any personal PCs, while allowing any AD Joined or Hybrid Joined devices from our tenant to access company resources freely.

Test Setup: I have my company issued, AD joined/Intune managed Windows PC and an unmanaged test Windows PC for troubleshooting. I have a test policy in Report Only Mode, and we have log analytics turned on in Azure Conditional Access to report login instances and resulting policy behavior of login attempts.

Problem: Currently I have devised a policy set to be broken down by Platform/OS. Working on the Windows platform I am consistently getting "reportOnlyNotApplied" when testing logins on both my Company PC (AD Joined) and the Unmanaged PC with the current logic.

I have perused the forums and tried changing the scope of target Users to All, None and a specific test group.

I had the Target Resources prior on All Cloud Apps + Client Apps with all selected, and then also tried the new Target resource group - "All internet resources with Global Secure Access which includes all of the prior in one unified group.

I tried switching Exclude to Include as some other post suggested, even though that didn't make much sense to me.

Lasting thoughts:

Am I supposed to created 2 separate policies? One for Allow AD Joined/Hybrid joined, and one to Block Registered? I started to try this but if the block policy isn't working it's not going to help when I make the specific allows.

What if it doesn't fall under Registered because it is just a completely personal pc not joined to Work or School account so it doesn't get that designation (Registered) and skips on through unblocked. I see my test computer isn't picked up by my tenant, probably because I didn't join with Work or School on setup, I chose Personal PC, and this is exactly what I want to protect against, unwanted foreign attacks, and unsanctioned devices from users who refuse to listen to policy and still bring their own device.

Please provide any advice on how to carry out my expected goal, as well as any suggestions you may have from managing other organizations Conditional Access Policy that you would recommend we implement. I started looking at the Secure Token Configurations, and there might be something with Conditional session app, but I can't seem to pull it all together quite yet.

I also

Current Conditional Access Policy (Report Only):

Assignments


Users

Specific users included – “Test Group”


Target resources

All internet resources with Global Secure Access


Network NEW

Not configured


Conditions

2 conditions selected - (Device platforms & Filter for devices)


Access controls


Grant

Block access


Session

0 controls selected


User risk

User risk level is the likelihood that the user account is compromised.

Not configured


Sign-in risk

Sign-in risk level is the likelihood that the sign-in session is compromised.

Not configured


Insider risk

Insider risk assesses the user's risky data-related activity in Microsoft Purview Insider Risk Management.

Not configured


Device platforms

1 included - Windows


Locations

Not configured


Client apps

Not configured


Filter for devices

Exclude filtered devices – device.trustType -eq "AzureAD" -or device.trustType -eq "ServerAD"


Authentication flows (Preview)

Not configured


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,535 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Bhasker Donthu 940 Reputation points Microsoft Vendor
    2024-11-15T08:21:07.37+00:00

    Hello @DoTheHustle,

    Thank you for posting your query on Microsoft Q&A.
    Understood that you are trying to implement a Conditional Access Policy (CAP) to block access for unmanaged Windows devices, and you're encountering issues with the policy consistently applying. here are few steps for troubleshooting that might be help you: 1.Review Policy Configurations:

    • User Assignment: Ensure target users are correct and test with a specific group. Exclude emergency/break-glass accounts.
    • Device State Filters: Use Conditions > Device State > Filter for Devices to include unmanaged devices by excluding Hybrid Azure AD joined and Compliant devices, so only managed devices bypass the policy.
    • Platform Targeting: Confirm Windows is selected in Device Platforms.
    • Access Control: Set Access Controls > Grant to Block access.

    2.Switch to "On" Mode: Report-Only mode might not apply the policy consistently. Enable the policy to On (targeting a test group) for accurate results, or create a duplicate policy in On mode with limited targeting.

    3.Use Separate Policies:

    • Allow Policy: For managed, compliant devices (Hybrid Azure AD joined, Compliant) with optional MFA.
    • Block Policy: Target unmanaged Windows devices (excluding managed states).

    4.Personal PC Logins:

    • Require Device Registration to Azure AD for resource access.
    • Intune Integration: Enforce compliance requirements (e.g., encryption, antivirus) before granting access.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.