This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 15%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKP%3C/text%3E%3C/svg%3E)
Hi All,
I need some advice on how to acheive below
so i tried condition under "filter by devices" as include Azure AD joined devices as not equal with block access. it blocked personal and azure ad joined devices. Please suggest how to allow azure AD join devices and block personal devices
Please provide your suggestions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@karthik palani , For your questions, here are my suggestions:
We can test the command on device manually to see if it can work. If yes, then we can deploy Powershell Script via Intune to do it in a batch.
For the password threshold, to know it better, could you let us know where we configure the setting?
Please check the above information, if there's any update, feel free to let us know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi Crystal,
I tried the above conditional access logic, its not blocking unenrolled or BYOD devices. It works only if we change the device ownership as corporate or personal. Any other logics you can suggest please
Hi Crystal,
Appreciate your support as usual
The password threshold set under Azure Active directory - Security - Authentication - Password protection - "Lockout threshold"
@karthik palani , Thanks for the reply.. From your description, I find the setting is in Azure AD. As I am not familiar with it, I have added "azure-active-directory" tag to see if any Azure AD support can be involved. As another option, you can also open a new thread to only add this tag to find the support.
Thanks for your understanding.
Thanks, so the point no - 3, seems like "Numbers, lowercase, uppercase and special characters required" is not supported for desktop/laptop.
Is there any other way we can enforce this "Numbers, lowercase, uppercase and special characters required"
@karthik palani , After researching, I didn't find other method in Intune. Maybe you can feedback to uservoice to see if we can get it supported in the future.
https://feedbackportal.microsoft.com/feedback/forum/ef1d6d38-fd1b-ec11-b6e7-0022481f8472
Thanks for the understanding and have a nice day!
The setting that you were referring above was Azure AD Smart lockout which must work for the devices that are Azure AD join when device has internet connection however if device is offline then Azure AD Smart lockout policy won't take effect and user may continue to login Windows Sign-in using cache. Hope this helps.
Note: while testing make sure you try with three different password each attempt because Azure AD smart lockout is not traditional AD lockout so to get attempt marked as 3 bad passwords, you need to try three different password each attempt. if you repeat same password multiple times. it won't increase the count.