Using filters for devices as condition in Conditional Access policies

This week is also all about filters. Last week was about filters for assigning apps, policies and profiles to specific devices in Microsoft Intune and this week is about filters for devices as a condition in Conditional Access policies. Filters for devices are a nice addition to Conditional Access policies to only target specific devices. A great option for addressing specific scenarios. This post starts with a short introduction about filters for devices, followed with the steps for configuring a filter within a Conditional Access policy. This post ends with the administrator experience.

Important: At the moment of writing, filters for devices are still public preview. For Azure AD features that means that the feature is provided without a service level agreement, and that the usage of the feature is not recommended for production environments.

Introducing filters for devices

Filters for devices are a great method for filtering devices based on Azure AD device properties. Within a Conditional Access policy it was already possible to filter devices from the policy by using the device state. Filters for devices are basically a super-super set of that capability. By using filters for devices it’s possible to not only filter devices based on the device state, but also on 10+ other device properties. Those device properties enable the IT administrator to specifically include, or exclude, devices based on the value of those properties. The different device properties that can be used in filters for devices are described in the table below.

Device propertyPropertyValueDescriptionDevice identifierdeviceIdStringThe unique identifier set at time of registrationDisplay namedisplayNameStringThe display name of the deviceManufacturermanufacturerStringThe manufacturer of the deviceMDM application identifiermdmAppIdStringThe application identifier used to register deviceModelmodelStringThe model of the deviceOperating systemoperatingSystemStringThe type of the operating system on the deviceOperating system versionoperatingSystemVersionStringThe version of the operating system on the devicePhysical identifierspyhsicalIdsStringUsed to store the unique value assigned to imported Windows Autopilot devicesProfile typeprofileTypeSelectableThe profile type set for the deviceSystem labelssystemLabelsSelectableThe list of system labels applied to the deviceTrust typetrustTypeSelectableThe registered state of the deviceExtension attributeextensionAttribute1-15StringThe optional configured extension attributes (1-15)

Note: For the correct string values, of the different device properties, simply verify the different device resource type properties by using the Graph Explorer (or by using PowerShell).

Configuring and using filters for devices

Filters for devices are not reusable and are configured and used per Conditional Access policy. That doesn’t matter too much, as filters for devices are really meant for configuring special configurations. Exceptions. When configuring and using filters for devices, it’s important to keep in mind that those filters are based on Azure AD device properties. That means that when a device is not registered or joined in Azure AD, it’s not possible to work with positive operators for the different properties. That information is simply not available. Most of that type of behavior makes a lot of sense, but make sure to be familiar with the documented behavior.

Using filters for devices, enables IT administrators to differentiate the Conditional Access behavior based on the Azure AD device properties. That means differentiate the behavior based on the trust type of the device (which was already possible via the device state), or on more advanced properties like the manufacturer of the device, the model of the device, the platform of the device, or even extension attributes of the device. Either because some devices, like Surface Hub devices, need a different treatment, or because some devices are not supported (anymore) within the organization (or even prohibited). The following five steps walk through the creation of such a Conditional Access policy, with the focus on the filters for devices.

Note: The steps below show the creation of a Conditional Access policy for all users and all cloud apps with a filter for iPhone 8 devices. Those devices can be filtered by using a the Model device property.

Important: Filters for devices cannot be used together with the device state condition. That makes perfect sense, as filters for devices provide the same functionality and a lot more.

1. Open the Microsoft Endpoint Manager admin center portal navigate to Endpoint security  > Conditional Access, or open the Azure portal and navigate to Azure Active Directory > Security > Conditional Access
2. On the Conditional Access | Policies blade, click New policy
3. On the Assignments section, configure the following for the different assignments sections

• Users and groups: Select All users as the users that should be assigned with this policy
• Cloud apps or actions: Select Cloud apps > All cloud apps as the apps that should be assigned with this policy
• Conditions: Select Filters for devices and switch the slider Configure > Yes to enable additional for this policy
  • On the Filters for devices page, as shown below in Figure 1, select Devices matching the rule > Include filtered devices in policy, configure the following expression and click Done
    • Expression 1 – This expressions is used to filter devices based on the model
      • And/Or: Not applicable
      • Property: Select Model as value
      • Operator: Select Equals as value
      • Value: Specify iPhone 8 as value

• Figure 1: Overview of creating rules for device filters

1. On the Access controls section, configure the following for the grant control

• Grant: Select Block access to block access for iPhone 8 devices to all cloud apps
• Session: Not applicable for this configuration

1. Select Enable policy > On to enable the policy

Experiencing filters for devices

The best method to look at the results of filters for devices with Conditional Access policies, is by looking at Azure Active Directory > Monitoring > Sign-ins. That provides the information about the Conditional Access policies that are applied during the sign-in of the user. At this moment the information about a match is still logged with the Device state condition, as shown below in Figure 2. So, at this moment, that doesn’t provide the information about the exact properties that were matched.

• Figure 2: Overview of a filter for devices evaluation

Also, when testing filters for devices, keep the explained behavior in mind. The provided configuration is extra interesting with that behavior in mind. Positive operators (like equals) in filters for devices, won’t apply for the different Azure AD device properties when it’s an unregistered device. So, in the provided configuration, a user would still be able to enroll an iPhone 8 device, because before the enrollment the device is not registered in Azure AD and the configured filter does not apply. That, however, doesn’t mean that an iPhone 8 device can be used to access company resources. After the enrollment, the device is registered in Azure AD and the configured filter applies for every attempt to access company resources.

More information

For more information about using filters for devices with Conditional Access policies, refer to the following docs.