During last week an customer had the need to make sure that all mobile devices that weren’t MDM enrolled into intune should get blocked for accessing Azure AD resources using mobile apps.
This due to start forcing specific users to start MDM enroll devices without having compliance policies at place within intune.
To achieve this, we will use an Conditional Access policy with the new Device Filtering condition.
About Device Filtering within Conditional Access
Since a couple of days back, Microsoft have launched the Device Filtering condition in general availability. This will enable us to target or exclude specific devices from an Conditional Access Policy.
Currently, there is only a subset of attributes that we can use to filter out devices within Conditional Access:
|Supported device attributes||Supported operators||Supported values||Example|
|deviceId||Equals, NotEquals, In, NotIn||A valid deviceId that is a GUID||(device.deviceid -eq “498c4de7-1aee-4ded-8d5d-000000000000”)|
|displayName||Equals, NotEquals, StartsWith, NotStartsWith, EndsWith, NotEndsWith, Contains, NotContains, In, NotIn||Any string||(device.displayName -contains “ABC”)|
|deviceOwnership||Equals, NotEquals||Supported values are “Personal” for bring your own devices and “Company” for corprate owned devices||(device.deviceOwnership -eq “Company”)|
|isCompliant||Equals, NotEquals||Supported values are “True” for compliant devices and “False” for non compliant devices||(device.isCompliant -eq “True”)|
|manufacturer||Equals, NotEquals, StartsWith, NotStartsWith, EndsWith, NotEndsWith, Contains, NotContains, In, NotIn||Any string||(device.manufacturer -startsWith “Microsoft”)|
|mdmAppId||Equals, NotEquals, In, NotIn||A valid MDM application ID||(device.mdmAppId -in [“0000000a-0000-0000-c000-000000000000”]|
|model||Equals, NotEquals, StartsWith, NotStartsWith, EndsWith, NotEndsWith, Contains, NotContains, In, NotIn||Any string||(device.model -notContains “Surface”)|
|operatingSystem||A valid operating system (like Windows, iOS, or Android)||(device.operatingSystem -eq “Windows”)|
|operatingSystemVersion||A valid operating system version (like 6.1 for Windows 7, 6.2 for Windows 8, or 10.0 for Windows 10 and Windows 11)||(device.operatingSystemVersion -in [“10.0.18363”, “10.0.19041”, “10.0.19042”, “10.0.22000”])|
|physicalIds||Contains, NotContains||As an example all Windows Autopilot devices store ZTDId (a unique value assigned to all imported Windows Autopilot devices) in device physicalIds property.||(device.devicePhysicalIDs -contains “[ZTDId]:value”)|
|profileType||Equals, NotEquals||A valid profile type set for a device. Supported values are: RegisteredDevice (default), SecureVM (used for Windows VMs in Azure enabled with Azure AD sign in.), Printer (used for printers), Shared (used for shared devices), IoT (used for IoT devices)||(device.profileType -notIn [“Printer”, “Shared”, “IoT”]|
|systemLabels||Contains, NotContains||List of labels applied to the device by the system. Some of the supported values are: AzureResource (used for Windows VMs in Azure enabled with Azure AD sign in), M365Managed (used for devices managed using Microsoft Managed Desktop), MultiUser (used for shared devices)||(device.systemLabels -contains “M365Managed”)|
|trustType||Equals, NotEquals||A valid registered state for devices. Supported values are: AzureAD (used for Azure AD joined devices), ServerAD (used for Hybrid Azure AD joined devices), Workplace (used for Azure AD registered devices)||(device.trustType -notIn ‘ServerAD, Workplace’)|
|extensionAttribute1-15||extensionAttributes1-15 are attributes that customers can use for device objects. Customers can update any of the extensionAttributes1 through 15 with custom values and use them in the filter for devices condition in Conditional Access. Any string value can be used.||(device.extensionAttribute1 -eq ‘SAW’)|
Device Filtering can be used for several different scenarios, such as:
- Target specific policies to Privileged Access Workstation (PAW) devices
- Exclude devices like Teams phones or Surface Hub devices from CA policies
- Block specific devices from accessing Azure AD resources when running an unsupported operating system
Configure Conditional Access Policy
Let’s configure the Conditional Access policy that will solve the customers issue, where we simply need to block access from all mobile devices using mobile apps against Azure AD resources.
Please note that we will still allow the devices to reach Azure AD resources through browser sessions.
Include: All Cloud Apps
Exclude: Microsoft Intune Enrollment
Exclude: Microsoft Intune
Include: Windows Phone
Filter for Devices:
Devices matching the rule: Exclude filtered devices from policy
device.mdmAppId – eq “0000000a-0000-0000-c000-000000000000” – or device.mdmAppId – eq “00000002-0000-0000-c000-000000000000”
Include: Mobile apps and desktop clients
This conditional policy will block all mobile devices using Android/iOS/Windows Phone that aren’t MDM enrolled within intune from accessing Azure AD resources, but will still allow access through browser sessions.
It’s of course important that the organization have separate Conditional Access policies to secure browser sessions and device registrations as well.
Please note that if the device have been enrolled within intune in the past, the device might have the mdmAppId attribute populated, and will not be hit by the Conditional Access Policy.
Kudos to Tom Aafloen and Joakim Högström for contributing to the idea of filtering on the mdmAppId attribute.