Conditional access isn't applied to a group of users on a separate domain

Question

Conditional access isn't applied to a group of users on a separate domain

Pavel Kotelevskii 0

We have a small group of users on a separate domain which is part of the same tenant at our main domain. We've discovered that conditional access policies are not being applied to that group of users. CA policies are applied to all users. Also, sign in logs don't pick up the Device ID and Join Type for the users in question. All of them use BYOD devices.

3 answers

Your answer

Answer 1

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Answer 2

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Answer 3

Hi,

For BYOD:

If the device is not registered in Entra ID (Azure AD), then:
- No Device ID or Join Type shows in logs.
- Device-based CA conditions (e.g., “Require compliant device”) won’t apply.
- Entra ID treats it as an unregistered device, which may bypass or block some policies depending on configuration

Did you tried to check using "What if" function for that specific domain users which of your Entra ID CA applies to them?

Go to the Microsoft Entra admin center.
Navigate to: Protection → Conditional Access → What If

Share via

Conditional access isn't applied to a group of users on a separate domain

3 answers

Your answer