This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Does the Filter Apply to the properties of the User Signing in or the Device?
My policy that is supposed to apply to Devices that aren't AD Registered is not working for my test user. The Device is AD Registered but for a different user than the one signing in now.
See the image for my policy. We have a policy that triggers MFA for registering devices, the only time we want MFA to trigger, we then block access for devices not registered, AD joined or Hybrid joined.
I have a device that is AD registered for one user but not for another, when the non-registered user signs in the MFA allows him to access but he is not AD registered for that device.
I though each time a user signs into a device with their M365 account it AD registers the device, was this changed?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 0%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVM%3C/text%3E%3C/svg%3E)
@Anonymous Checking if the answer provided by Michev helped you. If it did, please do not forget to accept his response as answer and help the community.
They are based on the device properties... it's in the name :) Devices are not registered per user, anyone in the company can login on an AAD joined device without having to go over any additional steps.
I know anyone on AAD Joined Devices can connect without anything else, but my understanding from when i first researched Intune and AAD, is that whenever a new user signs into their M365 account on a machine it AAD Registers the device. That is why we have multiple AAD registered devices for the same device in AAD.
I want a conditional access policy that triggers MFA only when its, that users, first time signing into the machine.
Will also include this screenshot. This is a conference room computer, see how it AD registers users for each sign in, even though its AAD Hybrid Joined. I want that for all devices users sign in from. It seems I can't AAD register a device when the user signs in from a browser. I thought we could in the past, but it seems to only AD register if they sign into a Office 365 computer application.
And for this picture see how many users are AAD Registered, I don't want MFA for those users signing into that computer, I want it for any new users that were to sign into that. It is in our office which I added as an exception to the MFA anyway but for outside computers it will require and have been testing on a laptop we reset and can't get it to work.
Does deleting it and renaming it not remove the token from Azure AD i can see for Authentication details it says previously satisfied and my CA policies don't have any sessions configured.
