Target users and exclude devices by using Filters in Azure Active Directory Conditional Access
One of the most frequent questions I get about targeting Conditional Access policies is if we can mix and match user and device groups. This is a tempting ask because when you great a Conditional Access policy, you have the option of targeting specific groups:
The problem is – Conditional Access can’t target device groups! Even if you can select a security group with device in it, Conditional Access won’t take it into effect. Conditional Access is only meant to be used with user groups.
Now for the good news – we can not get around this blocker by using Filters. Filters let you combine user group targeting with device characteristics to filter out unwanted devices. For example – targeting a group of users but excluding personal devices. The perfect feature for our Conditional Access scenario. Let’s test it out!
Go to portal.azure.com > Azure Active Directory > Security > Conditional Access > + New Policy
Here we can define our policy as per usual. For this test, I’ll require MFA for accessing Office on personal devices. To do this, we start by targeting selected users:
Then under Cloud apps, I’ll select Office 365:
And finally under Conditions, we see Filters for devices (Preview) listed. I’ll click on that and set Configure to Yes. Then for the rule, I’ll select DeviceOwnership Equals Personal:
For this scenario, we’ll want to leave the “Devices matching the rule” to Include filtered devices in policy. This way, the users we target will filter to just their personal devices, which is who we want to require MFA for. For the final step, under Grant I’ll select Require multi-factor authentication:
And under Enable policy I’ll select On, and then it is successfully enabled!
With the policy in place, I’ll try to access Exchange Online using the Outlook app on my personal iPad. In Microsoft Endpoint Manager we see the device listed as Personal:
I’ll try to log in to Outlook with my targeted user:
I’ll be redirected to Authenticator (the authentication broker for iOS/iPadOS), and after I put in my password AAD will prompt for More information:
And if I click Next, we see that Conditional Access is requiring MFA:
We can also double check this by going to the Azure AD Sign-in logs and reviewing the user sign-in activity details. In this case, it will show under Conditional Access that the Require MFA grant control failed:
Fantastic! This policy is working as intended, requiring only personal devices to perform MFA.
Filters have lots of benefits, including evaluating significantly faster than dynamic groups, so be sure to take some time to test out filters in your own environment and see how they can help provide a great deployment experience.
One quick note – Filters also exist in the MEM/Intune portal but they are different than in the Azure AD portal. For instance – the Filters in the MEM portal don’t support Conditional Access. Likewise, the filters you create in a CA policy won’t replicate back to Intune to be used for a Compliance Policy. They even seem to have different supported operators (Azure AD supported operators vs MEM properties). I’ll be doing a follow up post on using the Intune Filters too – so if you have any questions on the differences, be sure to ask!
Happy filtering! 🛸