Azure AD – You can now define device filters for conditional access

As you know, with Azure AD you can configure Conditional Access policies to protect and secure access to your resources.

These policies apply to users, devices and now to service principals too.

Well, sometime you may want to have a conditional access policy to apply to specific devices but you can not create a specific group to ensure the policy only applies to this group of devices.

Good new, you can now configure filters when configuring your Conditional Access policy to ensure this applies only to specific devices.

To do do connect to your Azure AD portal ( and access the Azure Active Directory\Security\Conditional Access\Policies blade to create a new policy or edit an existing one


Then you need to configure the Conditions using the Filter for devices option

image  image

When configuring device filtering you can use quite a few device attributes (some are available for use with dynamic group but not all):

  • Device ID
  • Display Name
  • Device Ownership
  • Compliance (Is Compliant)
  • Manufacturer
  • MdmAppId
  • Model
  • OS
  • OS Version
  • Physical IDs
  • Profile Type (Registered Device, Secure VM, Printer, Shared, IoT)
  • System Labels (Azure Resource, M365 Managed, Printer Standard, Printer 3D, Printer All in One, Scanner Standard, Microsoft Print Service Connector, Multi User)
  • Trust Type (Azure AD Joined, Hybrid Azure AD Joined or Azure AD Registered)
  • Extension Attributes

Leave a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.