Conditional Access policy - allow from device

Question

Conditional Access policy - allow from device

Merdzd 0

hello .

I need to allow access for one user to the Power BI service, but only from a specific IP address and a group of devices registered in Azure. This means that a specific user can connect to the Power BI service only from a registered device in Azure and within a specific network (IP address).

However, while I can restrict access from unauthorized IP addresses, I am unable to block access from unregistered devices. It might be possible to create multiple rules, but I don’t see how this would work if both devices and users are managed within the same rule set.

User's image

Marcin Policht 69,125 Reputation points MVP Volunteer Moderator

2025-03-20T16:59:54.5866667+00:00

Use device filters

https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-condition-filters-for-devices
Merdzd 0 Reputation points

2025-03-20T17:26:57.8766667+00:00

What property should I select to filter my group of devices? I tried it by group ID, but this option doesn't work.
Merdzd 0 Reputation points

2025-03-20T17:46:54.43+00:00

I tried single device name. Not allow to login
Raja Pothuraju 43,740 Reputation points Microsoft External Staff Moderator

2025-03-20T18:02:04.4+00:00

Hello @Merdzd,

Navigate to Microsoft Entra ID → Devices → All devices and check the device join type for your managed devices in your environment. Based on the join type, choose the appropriate filter in your Conditional Access policy.

When using the DeviceID filter, ensure that you enter the device ID of the specific device, not the group ID. Please refer to the screenshot below for better understanding.

2 answers

Your answer

Marcin Policht 69,125 Reputation points MVP Volunteer Moderator

2025-03-20T16:59:54.5866667+00:00

Use device filters

https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-condition-filters-for-devices
Merdzd 0 Reputation points

2025-03-20T17:26:57.8766667+00:00

What property should I select to filter my group of devices? I tried it by group ID, but this option doesn't work.
Merdzd 0 Reputation points

2025-03-20T17:46:54.43+00:00

I tried single device name. Not allow to login
Raja Pothuraju 43,740 Reputation points Microsoft External Staff Moderator

2025-03-20T18:02:04.4+00:00

Hello @Merdzd,

Navigate to Microsoft Entra ID → Devices → All devices and check the device join type for your managed devices in your environment. Based on the join type, choose the appropriate filter in your Conditional Access policy.

When using the DeviceID filter, ensure that you enter the device ID of the specific device, not the group ID. Please refer to the screenshot below for better understanding.

Answer 1

Hello @Merdzd,

Based on your description, I understand that you want to allow access to the Power BI service only from a specific IP address and managed devices. If a user attempts to access it from a trusted location but an unmanaged device, access should be blocked.

To achieve this, you need to use a device filter with the following expression:

User's image

If your users are using all these trusted device types (i.e; Microsoft Entra Joined, Entra Registered, Entra Hybrid Join), make sure to exclude these managed devices from the policy.

Your policy should be like, Your policy should be configured as follows:

Users → Include all required users.
Target resources → Include the application you want to protect.
Network → Include "Any network or location" and exclude either "Selected networks and locations" or "All trusted networks and locations."
Conditions → Use Filter for Devices and exclude devices with the following rule syntax: device.trustType -eq "AzureAD"
Grant Controls → Select Block Access.
Click Save.

This policy will block all access attempts from untrusted locations and unmanaged devices.

If you need to exclude only one or two specific devices, use the deviceID property with the equal (eq) operator and enter the device ID value. Please refer to the screenshot below for reference.

User's image

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Merdzd 0 Reputation points

2025-03-20T20:23:14.36+00:00

Not just from trusted devices, but only from a specific group of trusted devices. Adding to this group is done manually, so in principle, a list of devices in the filter should be sufficient. However, after trying to filter by name or ID, I did not achieve the expected result. For now, I have excluded the IP restriction from the rule for testing.
Raja Pothuraju 43,740 Reputation points Microsoft External Staff Moderator

2025-03-21T16:27:27.1033333+00:00

Hello @Merdzd,

I would prefer to take this discussion offline via a Teams call for more easy understanding. Please share your contact email via a private message along with your availability for a call.

Answer 2

Marcin Policht 69,125 MVP Volunteer Moderator

Use the trustType property - as per https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-condition-filters-for-devices

trustType	Equals, NotEquals	A valid registered state for devices. Supported values are: AzureAD (used for Microsoft Entra joined devices), ServerAD (used for Microsoft Entra hybrid joined devices), Workplace (used for Microsoft Entra registered devices)	(device.trustType -eq "ServerAD")
trustType	Equals, NotEquals	A valid registered state for devices. Supported values are: AzureAD (used for Microsoft Entra joined devices), ServerAD (used for Microsoft Entra hybrid joined devices), Workplace (used for Microsoft Entra registered devices)	(device.trustType -eq "ServerAD")

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Merdzd 0 Reputation points

2025-03-20T20:37:02.03+00:00

excluded devices by name and id not using IP filtering can't access powerbi
Merdzd 0 Reputation points

2025-03-20T20:56:41.5066667+00:00

Have no ID in logs
Raja Pothuraju 43,740 Reputation points Microsoft External Staff Moderator

2025-03-21T04:01:09.39+00:00

Hello @Merdzd,

Run dsregcmd /status in command prompt and see if the device is having Valid AzureADPrt as Yes.

In command output, see what the device state of the device is. Troubleshoot devices by using the dsregcmd command

If the device is not enrolled to Entra, you won't see device ID or device info in Entra Sign-in logs.
Merdzd 0 Reputation points

2025-03-22T08:37:22.1566667+00:00
Device State |

+----------------------------------------------------------------------+

AzureAdJoined : YES EnterpriseJoined : NO DomainJoined : NO Device Name : MdZDHP250

DeviceId : ac9a23ee-fadc-47f2-92fe-3940affd2c34 Same as in filter

User State |

+----------------------------------------------------------------------+

NgcSet : NO WorkplaceJoined : NO WamDefaultSet : YES WamDefaultAuthority : consumers WamDefaultId : https://login.microsoft.com WamDefaultGUID : {D7F9888F-E3FC-49B0-9EA6-A85B5F392A4F} (MicrosoftAccount)

+----------------------------------------------------------------------+

| SSO State |

+----------------------------------------------------------------------+

AzureAdPrt : NO AzureAdPrtAuthority : EnterprisePrt : NO EnterprisePrtAuthority :

+----------------------------------------------------------------------+

| Diagnostic Data |

+----------------------------------------------------------------------+

AadRecoveryEnabled : NO Executing Account Name : MDZDHP250\USER KeySignTest : PASSED DisplayNameUpdated : YES OsVersionUpdated : YES HostNameUpdated : YES Last HostName Update : NONE
Raja Pothuraju 43,740 Reputation points Microsoft External Staff Moderator

2025-03-25T01:01:45.7566667+00:00

Hello @Merdzd,

Thank you for sharing the device status, I see that device is not having valid AzureADPRT. This is why it is not excluding it from Conditional access policy.

Let continue this troubleshooting over team's call. Please share your contact email address over the private message.
Raja Pothuraju 43,740 Reputation points Microsoft External Staff Moderator

2025-03-26T20:54:16.66+00:00

Hello @Merdzd,

I just wanted to check if you'd be interested in taking this offline via a remote session to better understand the scenario. Please share your email address to setup a team's call and your availability in private message. You can see private message option under your question.
Raja Pothuraju 43,740 Reputation points Microsoft External Staff Moderator

2025-04-01T10:59:11.13+00:00

Hello @Merdzd,

Based on the screenshot you shared; I see that the Device ID is not being passed in the Entra sign-in logs when your users authenticate from the device.

This can happen if the device is not properly enrolled in your Entra directory. Please ensure that you are logging into the device using your work or school account instead of a local account.

Logging in with a local account prevents the device from obtaining a valid AzureADPrt token. This is why your dsregcmd /status output shows AzureAdPrt: NO, indicating that you are signed in with a local account.

To obtain a valid PRT token and pass the Device ID information during sign-ins, please log in with your work or school account.

If you need any additional details, please share your contact details over private message for offline troubleshooting.

Share via

Conditional Access policy - allow from device

2 answers

Your answer