Condtional Access Policy - Filter for Devices

HiteshP 1 Reputation point
2022-08-15T20:00:19.817+00:00

Hi All

Has anyone been able to create a Conditional Access using Filter for Devices to block older Windows Operating systems like Windows 7 or 8?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,768 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 34,546 Reputation points Microsoft Employee
    2022-08-15T22:38:13.233+00:00

    Hi @HiteshP ,

    Yes, you can create a filter to block older operating systems. The generally recommended way to do this is to create a Filter for devices in a Conditional Access policy, apply it to All users, accessing all cloud apps.

    Then you would add an "exclude" filter for devices using rule expression operatingSystem equals Windows and operatingSystemVersion startsWith "10.0", like this sample one that I added :

    231263-image.png

    For additional context, this scenario is documented in the Filter for devices guide.

    I hope this helps.

    -

    If the information helped you, please Accept the answer. This will help us and other community members as well.

    0 comments No comments

  2. HiteshP 1 Reputation point
    2022-08-16T19:24:02.597+00:00

    Unfortunately the "Starts With" operator only captures devices which are registered in Azure.
    We want to block all older Windows devices, even personal devices.

    We tried exclude devices Notstartswith 10.0 and it sort of works, except it also blocks Windows 10 devices which are not registered in Azure.

    "For a device that is unregistered with Azure AD, all device properties are considered as null values and the device attributes cannot be determined since the device does not exist in the directory. The best way to target policies for unregistered devices is by using the negative operator since the configured filter rule would apply. If you were to use a positive operator, the filter rule would only apply when a device exists in the directory and the configured rule matches the attribute on the device."


  3. Marilee Turscak-MSFT 34,546 Reputation points Microsoft Employee
    2022-09-13T00:36:39.15+00:00

    Hi @HiteshP ,

    Apologies for the delay! In that case you should be able to set it to exclude the device if Operating System = Windows 8 or Operating System = Windows 7.

    240246-excludepolicy.jpg

    I am able to set this in my lab and others have confirmed that it worked for them. Let me know if you face issues with it though.

    -

    If the information helped you, please accept the answer. This will help us and other community members as well.

    0 comments No comments