Azure Conditional Access - Device extensionAttributes

Question

Azure Conditional Access - Device extensionAttributes

dridley 181

Hi MSFT,

I am trying to get CA policies to BLOCK AAD-Registered devices that DO NOT have extensionAttribute1 set.
However, devices with extensionAttribute1 are also getting blocked as they report "No Match".

Any ideas what is going on here? I have tried 2 different tenants.

Harpreet Singh Matharoo 8,416 Reputation points Microsoft Employee Moderator

2022-08-25T04:29:08.963+00:00

Hello @Anonymous

Thank you for reaching out. I am looking into this and would get back to you with an answer.
dridley 181 Reputation points

2022-08-25T06:56:55.533+00:00

Thanks @Harpreet Singh Matharoo

I think i might have some more info.
I noticed it DOES work only if i access it with the user account that i registered the device with.

From what i can tell CA must be using the "Owner" field to marry up the deviceID/ObjectID in order to query device attributes.
If you can please confirm/clarify this. Thanks.
AllDeesScripts-4723 1 Reputation point

2022-10-17T12:01:19.76+00:00

Hi,

Did you find a workaround for this?

I have been trying to achieve the same thing with CA and extension attributes, for the exact same reason of requiring authorisation of AAD registered devices.

I made the same mistake of misreading the documentation hence have ended up here. I saw there is a System Label attribute but I read that that is a protected attribute that only Microsoft can write to.

Other than submitting a feature request I'm a bit stumped at the moment!

Answer accepted by question author

0 additional answers

Your answer

Harpreet Singh Matharoo 8,416 Reputation points Microsoft Employee Moderator

2022-08-25T04:29:08.963+00:00

Hello @Anonymous

Thank you for reaching out. I am looking into this and would get back to you with an answer.
dridley 181 Reputation points

2022-08-25T06:56:55.533+00:00

Thanks @Harpreet Singh Matharoo

I think i might have some more info.
I noticed it DOES work only if i access it with the user account that i registered the device with.

From what i can tell CA must be using the "Owner" field to marry up the deviceID/ObjectID in order to query device attributes.
If you can please confirm/clarify this. Thanks.
AllDeesScripts-4723 1 Reputation point

2022-10-17T12:01:19.76+00:00

Hi,

Did you find a workaround for this?

I have been trying to achieve the same thing with CA and extension attributes, for the exact same reason of requiring authorisation of AAD registered devices.

I made the same mistake of misreading the documentation hence have ended up here. I saw there is a System Label attribute but I read that that is a protected attribute that only Microsoft can write to.

Other than submitting a feature request I'm a bit stumped at the moment!

Answer 1

Harpreet Singh Matharoo 8,416 Microsoft Employee Moderator

Hello @Anonymous

Thank you for being patient while I was working on this request. I would like to confirm following points with you:

For Azure AD Registered Device a device filter can apply in include or exclude mode for all attributes excluding extension attributes.
To read extension attributes, a device should be compliant / Hybrid AAD joined / Managed by Intune.

These details can be validated on following document and below is the table from the document which describes the same: Policy behavior with filter for devices

I hope this helps and answers the query you have.

----------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

dridley 181 Reputation points

2022-08-26T04:29:28.32+00:00
Thanks for the clarification @Harpreet Singh Matharoo

I had seen that table prior, but maybe I had misread it (confusing as it is to read). It's a shame they can't be used for std AADR devices.
A couple of points from me then:

I therefore assume if the device compliant state = "N/A" it is also deemed as NonCompliant?

The mixed results I had must have been due to the Device's "Join Type" then and not the user I was logging on with.

As an alternative, from that table i should be able to use the "TrustType" attribute. For my UseCase though the device is AADR to TenantB and ** the same device is AADJ to TenantA. Is that supported?
****because i can't get that to work either.

Cheers.
Harpreet Singh Matharoo 8,416 Reputation points Microsoft Employee Moderator

2022-08-30T10:16:09.97+00:00
Hello @Anonymous

Please find my responses in below points:

**In regards with Device compliant state values: **

N/A = Not Enrolled (Since device is not enrolled to Intune this value is not available)

True - Enrolled and Compliant.

False - Enrolled and non-compliant.

**Should you be able to use the "TrustType" attribute: **

You can use trustType attribute to allow or deny access on specific type of device.

Following value can be set to following values: AzureAD for AAD Join, ServerAD for HAADJ and Workplace for AADR

**In regards device is AADR to TenantB and the same device is AADJ to TenantA. Is that supported? **

Even though it is possible to add device to multiple tenants, however we do not recommend having device to be associated with multiple tenants as this may result in Conditional Access Policy and SSO issues.

I have seen multiple customers setting up devices in such way and using different browser profiles to avoid SSO and Conditional Access issues. Hence as workaround to support such scenario you can setup different browser profile for each account associated to device to avoid any issues.

I hope these answers all your questions.

----------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Share via

Azure Conditional Access - Device extensionAttributes

0 additional answers

Your answer