Share via

unable to exclude device group from conditional access policy Microsoft Entra ID

Prashant Mishra 21 Reputation points
2024-12-14T11:23:03.04+00:00

Hi Team,

I have created conditional access policy and targeted to all the user but exclude some of the device using groups.

I have added one custom extension attributes on azure ad registered id and exclude form filter but also don't work.

User's image

there is any way to exclude only selected azure ad registered device from CA policy and theses device doesn't exist in Intune portal

User's image

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,650 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 29,960 Reputation points MVP
    2024-12-14T12:39:19.7266667+00:00

    Yes - but you have to use the approach described at https://zcusa.951200.xyz/en-us/entra/identity/conditional-access/concept-condition-filters-for-devices in the Common scenarios section

    This is because (as explained there) "Microsoft Entra ID uses device authentication to evaluate device filter rules. For a device that is unregistered with Microsoft Entra ID, all device properties are considered as null values and the device attributes cannot be determined since the device does not exist in the directory. The best way to target policies for unregistered devices is by using the negative operator since the configured filter rule would apply. If you were to use a positive operator, the filter rule would only apply when a device exists in the directory and the configured rule matches the attribute on the device."

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments
  2. Raja Pothuraju 10,040 Reputation points Microsoft Vendor
    2024-12-17T03:35:21.6366667+00:00

    Hello @Prashant Mishra,

    Thank you for posting your query on Microsoft Q&A.

    Based on the attached screenshots, it appears you are attempting to exclude Azure AD-registered devices from a Conditional Access (CA) policy using the extensionAttribute1 property with the value PK-Lab-Device.

    Even though you have added the extensionAttribute1 property to the exclusion list in the CA policy, it seems the policy is not excluding the device as expected. Please note that when using extensionAttributes, there is a limitation: the devices must be managed by Microsoft Intune for the CA policy to evaluate and exclude them correctly.

    User's image

    For more details, refer to the document: Supported operators and device properties for filters

    If the devices are not managed by Intune, you can consider the following workarounds: Use other supported device attributes, such as device.trustType: device.trustType -eq "Workplace" or else If you need to target specific devices, you can filter using their deviceId: device.deviceid -eq "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb".

    If the devices are managed by Intune and the issue persists, let me know, and we can investigate further by verifying the logs offline.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.