Share via

Conditional Access Policy Configuration

Ramachandran Krishnamoorthy 26 Reputation points
2022-03-14T18:56:04.917+00:00

Hi Team,

I have added an application under Enterprise Applications in Azure. I have configured a Conditional Access Policy for this application to access only from Trusted Locations. In this trusted location, I have added my office public IP's and as expected this application is accessible via my office network.

I have set of users working from home with official laptop, I have configured conditional Access Policy in such a way that people access using official laptop should complete MFA. This is working.

But I noticed even they are able to access with the personal devices. How to resolve this?

Thanks,
Ramachandran K

Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments

7 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2022-03-14T22:07:15.73+00:00

    Hi @Ramachandran Krishnamoorthy ,

    I understand that you are hoping to block access to users who try to access company resources with your personal device. (Please correct me if I'm wrong, as I can interpret your description to either mean that you want to block the access entirely on personal devices or enforce MFA for them.)

    To block access on personal devices, there are two settings you can use in Conditional Access:

    1. Require device to be marked as compliant - Marked as compliant means the device is enrolled in a mobile device management solution, such as Intune, and meets that MDM’s compliance requirements, such as having an active firewall.
      1. Require Hybrid Azure AD joined device - This means that the device is joined to your on-premises Active Directory, but also synchronized and joined to the cloud-based Azure AD.

    Conditional access gives you the option to require one or both of these controls so that both on-premises domain joined and Azure AD only joined devices can get access. (This is the recommended approach as well.)

    182988-image.png

    You also have the option to set compliance policies based on particular criteria.

    Let me know if this helps.

    Here are the official guides for this setting:

    Conditional Access: Require compliant or hybrid Azure AD joined device
    Use compliance policies to set rules for devices you manage with Intune

    0 comments
  2. Ramachandran Krishnamoorthy 26 Reputation points
    2022-03-15T18:55:20.517+00:00

    Hi Marilee Turscak,

    You are correct. I wanted to block access to that particular application from the personal devices.

    I am in Hybrid environment, do you want me to configure Azure AD as well? I see that my office PC is appearing as Hybrid AD Joined and I can access from outside network. But the same application working via personal devices as well.

    Thanks,
    Ram

    0 comments
  3. Ramachandran Krishnamoorthy 26 Reputation points
    2022-03-15T19:06:51.683+00:00

    Hi Marilee,

    183421-image.png

    183368-image.png

    183319-image.png

    183369-image.png

    Thanks,
    Ram

    0 comments
  4. Ramachandran Krishnamoorthy 26 Reputation points
    2022-03-15T19:08:13.837+00:00

    Hi Marilee,

    In the above screen shots, I have selected Hybrid AD Joined to grant access. But I can access the app even from my personal devices.

    Thanks,
    Ram

    0 comments
  5. Ramachandran Krishnamoorthy 26 Reputation points
    2022-03-22T09:29:16.943+00:00

    Hi Marilee,

    We already configured Azure AD and users/devices are listing the menu. Do we still need any other configuration on our end?

    Thanks,
    Ram

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.