Categories
Azure-AD Conditional Access

Block Access for all non-Intune MDM enrolled mobile devices in Conditional Access

During last week an customer had the need to make sure that all mobile devices that weren’t MDM enrolled into intune should get blocked for accessing Azure AD resources using mobile apps.
This due to start forcing specific users to start MDM enroll devices without having compliance policies at place within intune.
To achieve this, we will use an Conditional Access policy with the new Device Filtering condition.

About Device Filtering within Conditional Access

Since a couple of days back, Microsoft have launched the Device Filtering condition in general availability. This will enable us to target or exclude specific devices from an Conditional Access Policy.
Currently, there is only a subset of attributes that we can use to filter out devices within Conditional Access:

Supported device attributesSupported operatorsSupported valuesExample
deviceIdEquals, NotEquals, In, NotInA valid deviceId that is a GUID(device.deviceid -eq “498c4de7-1aee-4ded-8d5d-000000000000”)
displayNameEquals, NotEquals, StartsWith, NotStartsWith, EndsWith, NotEndsWith, Contains, NotContains, In, NotInAny string(device.displayName -contains “ABC”)
deviceOwnershipEquals, NotEqualsSupported values are “Personal” for bring your own devices and “Company” for corprate owned devices(device.deviceOwnership -eq “Company”)
isCompliantEquals, NotEqualsSupported values are “True” for compliant devices and “False” for non compliant devices(device.isCompliant -eq “True”)
manufacturerEquals, NotEquals, StartsWith, NotStartsWith, EndsWith, NotEndsWith, Contains, NotContains, In, NotInAny string(device.manufacturer -startsWith “Microsoft”)
mdmAppIdEquals, NotEquals, In, NotInA valid MDM application ID(device.mdmAppId -in [“0000000a-0000-0000-c000-000000000000”]
modelEquals, NotEquals, StartsWith, NotStartsWith, EndsWith, NotEndsWith, Contains, NotContains, In, NotInAny string(device.model -notContains “Surface”)
operatingSystemEquals, NotEquals, StartsWith, NotStartsWith, EndsWith, NotEndsWith, Contains, NotContains, In, NotInA valid operating system (like Windows, iOS, or Android)(device.operatingSystem -eq “Windows”)
operatingSystemVersionEquals, NotEquals, StartsWith, NotStartsWith, EndsWith, NotEndsWith, Contains, NotContains, In, NotInA valid operating system version (like 6.1 for Windows 7, 6.2 for Windows 8, or 10.0 for Windows 10 and Windows 11)(device.operatingSystemVersion -in [“10.0.18363”, “10.0.19041”, “10.0.19042”, “10.0.22000”])
physicalIdsContains, NotContainsAs an example all Windows Autopilot devices store ZTDId (a unique value assigned to all imported Windows Autopilot devices) in device physicalIds property.(device.devicePhysicalIDs -contains “[ZTDId]:value”)
profileTypeEquals, NotEqualsA valid profile type set for a device. Supported values are: RegisteredDevice (default), SecureVM (used for Windows VMs in Azure enabled with Azure AD sign in.), Printer (used for printers), Shared (used for shared devices), IoT (used for IoT devices)(device.profileType -notIn [“Printer”, “Shared”, “IoT”]
systemLabelsContains, NotContainsList of labels applied to the device by the system. Some of the supported values are: AzureResource (used for Windows VMs in Azure enabled with Azure AD sign in), M365Managed (used for devices managed using Microsoft Managed Desktop), MultiUser (used for shared devices)(device.systemLabels -contains “M365Managed”)
trustTypeEquals, NotEqualsA valid registered state for devices. Supported values are: AzureAD (used for Azure AD joined devices), ServerAD (used for Hybrid Azure AD joined devices), Workplace (used for Azure AD registered devices)(device.trustType -notIn ‘ServerAD, Workplace’)
extensionAttribute1-15Equals, NotEquals, StartsWith, NotStartsWith, EndsWith, NotEndsWith, Contains, NotContains, In, NotInextensionAttributes1-15 are attributes that customers can use for device objects. Customers can update any of the extensionAttributes1 through 15 with custom values and use them in the filter for devices condition in Conditional Access. Any string value can be used.(device.extensionAttribute1 -eq ‘SAW’)
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-condition-filters-for-devices#supported-operators-and-device-properties-for-filters

Device Filtering can be used for several different scenarios, such as:

  • Target specific policies to Privileged Access Workstation (PAW) devices
  • Exclude devices like Teams phones or Surface Hub devices from CA policies
  • Block specific devices from accessing Azure AD resources when running an unsupported operating system

Configure Conditional Access Policy

Let’s configure the Conditional Access policy that will solve the customers issue, where we simply need to block access from all mobile devices using mobile apps against Azure AD resources.
Please note that we will still allow the devices to reach Azure AD resources through browser sessions.

Cloud Apps
Include: All Cloud Apps
Exclude: Microsoft Intune Enrollment
Exclude: Microsoft Intune

Conditions
Device Platforms:
Include: Android
Include: iOS
Include: Windows Phone
Filter for Devices:
Devices matching the rule: Exclude filtered devices from policy
device.mdmAppId – eq “0000000a-0000-0000-c000-000000000000” – or device.mdmAppId – eq “00000002-0000-0000-c000-000000000000”

Client Apps
Include: Mobile apps and desktop clients

Access Controls
Block Access

Summary

This conditional policy will block all mobile devices using Android/iOS/Windows Phone that aren’t MDM enrolled within intune from accessing Azure AD resources, but will still allow access through browser sessions.
It’s of course important that the organization have separate Conditional Access policies to secure browser sessions and device registrations as well.

Please note that if the device have been enrolled within intune in the past, the device might have the mdmAppId attribute populated, and will not be hit by the Conditional Access Policy.

Kudos to Tom Aafloen and Joakim Högström for contributing to the idea of filtering on the mdmAppId attribute.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s