Filters for CAP's

Question

Filters for CAP's

Matt 1

Looking to apply a specific CAP for Azure DevBox's, and was hoping I could use a device filter CAP. I've first tried using model as I have a dynamic group setup to filter based on that "device.model -startswith "Microsoft Dev Box", but the CAP filter doesn't seem to be working.

I confirmed that in Entra ID attributes that's what's listed under Model, so is this just not possible, or am I doing something wrong?

Furthering that, I'd actually like to use the EnrollmentProfileName attribute if possible to filter instead....assuming CAP's can filter built in attributes......

VEMULA SRISAI 9,820 Reputation points Microsoft External Staff Moderator

2026-03-03T21:05:58.6133333+00:00

Hello Matt,

You’re not doing anything wrong — this comes down to how Conditional Access device filters are evaluated.

About device.model

While device.model is a supported attribute in Conditional Access Filter for devices, it only works when the sign‑in includes a valid device claim (registered device context). If the Dev Box sign‑in does not present device authentication context, the model value is treated as null during policy evaluation, even though you can see it populated on the device object in Entra ID. In that case, a positive filter like -startsWith will not match.

This is a common limitation with VM‑based and remote sign‑in scenarios.

About enrollmentProfileName

Yes — device.enrollmentProfileName is supported in Conditional Access device filters and is often a better option for this scenario. This attribute is set by Microsoft Intune based on the enrollment profile used at provisioning (Autopilot / Dev Box enrollment), and Dev Boxes are automatically registered and managed via Intune.

Example filter:

Plain Text

device.enrollmentProfileName -startsWith "DevBox"

Show more lines

Recommendation

For targeting Azure Dev Box, Microsoft recommends relying on Intune‑backed attributes (such as enrollmentProfileName, compliance state, or extension attributes) rather than hardware properties like model, which may not be reliably evaluated during authentication

1 answer

Your answer

VEMULA SRISAI 9,820 Reputation points Microsoft External Staff Moderator

2026-03-03T21:05:58.6133333+00:00

Hello Matt,

You’re not doing anything wrong — this comes down to how Conditional Access device filters are evaluated.

About device.model

While device.model is a supported attribute in Conditional Access Filter for devices, it only works when the sign‑in includes a valid device claim (registered device context). If the Dev Box sign‑in does not present device authentication context, the model value is treated as null during policy evaluation, even though you can see it populated on the device object in Entra ID. In that case, a positive filter like -startsWith will not match.

This is a common limitation with VM‑based and remote sign‑in scenarios.

About enrollmentProfileName

Yes — device.enrollmentProfileName is supported in Conditional Access device filters and is often a better option for this scenario. This attribute is set by Microsoft Intune based on the enrollment profile used at provisioning (Autopilot / Dev Box enrollment), and Dev Boxes are automatically registered and managed via Intune.

Example filter:

Plain Text

device.enrollmentProfileName -startsWith "DevBox"

Show more lines

Recommendation

For targeting Azure Dev Box, Microsoft recommends relying on Intune‑backed attributes (such as enrollmentProfileName, compliance state, or extension attributes) rather than hardware properties like model, which may not be reliably evaluated during authentication

Answer 1

To apply a Conditional Access Policy (CAP) filter for Azure DevBox devices using the device.model attribute, ensure that the model name is correctly specified in your filter. The syntax you provided, device.model -startswith "Microsoft Dev Box", is correct, but if it's not working, consider the following:

Check Device Attributes: Confirm that the devices are indeed reporting the model as "Microsoft Dev Box" in Azure Entra ID. Sometimes, there might be discrepancies in how the model is reported.
Filter Conditions: Ensure that the devices are compliant and managed as required by the CAP settings. If the devices do not meet the compliance criteria, the filter may not apply as expected.
CAP Configuration: Review the overall configuration of the CAP to ensure that all conditions and requirements are correctly set.

Regarding the EnrollmentProfileName attribute, you can use it to filter based on the enrollment profile applied to the device. The syntax would be similar to:

device.enrollmentProfileName -eq "YourEnrollmentProfileName"

This attribute can be used in CAP filters, allowing you to narrow down the assignment scope based on the specific enrollment profile associated with the devices.

If you continue to face issues, consider reviewing the documentation for any updates or specific requirements related to device filters in Conditional Access policies.

References:

Thanmayi Godithi 7,265 Reputation points Microsoft External Staff Moderator

2026-02-26T11:44:58.6466667+00:00

Hi @Matt,

Just checking in to see if you had a chance to see the previous response.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well. If you have any further questions do let us know.

Share via

Filters for CAP's

1 answer

Your answer