Thank you for your post!
I understand that you'd like to restrict access to the Azure Portal, M365 Admin portal, and PowerShell to only Hybrid Azure AD joined devices. To hopefully help point you in the right direction, I'll share some steps you can reference to do this below.
- Sign in to the Azure portal with your admin credentials.
- Navigate to Microsoft Entra ID > Security > Conditional Access.
- Click on your desired policy or create a new policy as needed.
- Under "Assignments", select "Users and groups" and choose the users or groups that you want to apply the policy to.
- Under "Target Resources", open the "Select apps" option and choose the following - Windows Azure Service Management API (Microsoft Azure Management), Office 365, and Microsoft Admin Portal applications.
- Under "Conditions", select "Device platforms" and choose your required platforms (i.e. Windows, Linux, iOS).
- Under "Access controls", select "Grant access", and select the appropriate controls.
- For example - Require multifactor authentication, Require device to be marked as compliant, and Require Microsoft Entra hybrid joined device. For more info.
Prior to enabling your CA Policy, I'd recommend using the What If tool to troubleshoot and test your new Conditional Access policy to ensure it'll work correctly.
Additional Links:
- Common Conditional Access policy: Require a compliant device, Microsoft Entra hybrid joined device, or multifactor authentication for all users
- Use the What If tool to troubleshoot Conditional Access policies
- Microsoft cloud applications
- Windows Azure Service Management API (Microsoft Azure Management)
- Office 365
- Microsoft Admin Portals
I hope this helps!
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.