Goal: Block any non-company issued Windows devices from accessing company resources in our Entra environment. Ideally anyone on an unmanaged computer should not even be able to open Outlook on the web. We want to Block any Registered devices and any personal PCs, while allowing any AD Joined or Hybrid Joined devices from our tenant to access company resources freely.
Test Setup: I have my company issued, AD joined/Intune managed Windows PC and an unmanaged test Windows PC for troubleshooting. I have a test policy in Report Only Mode, and we have log analytics turned on in Azure Conditional Access to report login instances and resulting policy behavior of login attempts.
Problem: Currently I have devised a policy set to be broken down by Platform/OS. Working on the Windows platform I am consistently getting "reportOnlyNotApplied" when testing logins on both my Company PC (AD Joined) and the Unmanaged PC with the current logic.
I have perused the forums and tried changing the scope of target Users to All, None and a specific test group.
I had the Target Resources prior on All Cloud Apps + Client Apps with all selected, and then also tried the new Target resource group - "All internet resources with Global Secure Access which includes all of the prior in one unified group.
I tried switching Exclude to Include as some other post suggested, even though that didn't make much sense to me.
Lasting thoughts:
Am I supposed to created 2 separate policies? One for Allow AD Joined/Hybrid joined, and one to Block Registered? I started to try this but if the block policy isn't working it's not going to help when I make the specific allows.
What if it doesn't fall under Registered because it is just a completely personal pc not joined to Work or School account so it doesn't get that designation (Registered) and skips on through unblocked. I see my test computer isn't picked up by my tenant, probably because I didn't join with Work or School on setup, I chose Personal PC, and this is exactly what I want to protect against, unwanted foreign attacks, and unsanctioned devices from users who refuse to listen to policy and still bring their own device.
Please provide any advice on how to carry out my expected goal, as well as any suggestions you may have from managing other organizations Conditional Access Policy that you would recommend we implement. I started looking at the Secure Token Configurations, and there might be something with Conditional session app, but I can't seem to pull it all together quite yet.
I also
Current Conditional Access Policy (Report Only):
Assignments
Users
Specific users included – “Test Group”
Target resources
All internet resources with Global Secure Access
Network NEW
Not configured
Conditions
2 conditions selected - (Device platforms & Filter for devices)
Access controls
Grant
Block access
Session
0 controls selected
User risk
User risk level is the likelihood that the user account is compromised.
Not configured
Sign-in risk
Sign-in risk level is the likelihood that the sign-in session is compromised.
Not configured
Insider risk
Insider risk assesses the user's risky data-related activity in Microsoft Purview Insider Risk Management.
Not configured
Device platforms
1 included - Windows
Locations
Not configured
Client apps
Not configured
Filter for devices
Exclude filtered devices – device.trustType -eq "AzureAD" -or device.trustType -eq "ServerAD"
Authentication flows (Preview)
Not configured