Up to a few weeks ago, we needed to fully enroll the devices in Microsoft Endpoint Manager #MEM (a.k.a. Intune) to be able to use device-based conditional access policies. Similarly, we needed to evaluate the compliance of the device which was not the most reliable technology. However, this new feature allows to easily evaluate these conditions based on the type of registration of the device. Therefore, fully enrolling the devices in Intune is not required anymore. As long as the device has been integrated with AzureAD, we can create conditional access policies. The properties filter we can use are as the following:
- AzureAD Joined
- Hybrid Azure AD Joined
- Azure AD registered
What is a trustType attribute: It is a valid registered state for devices. Supported values are: AzureAD (used for Azure AD joined devices), ServerAD (used for Hybrid Azure AD joined devices), Workplace (used for Azure AD registered devices)
This is a great feature and adds a lot of value to the implementation. In my case, I currently have a customer on a highly secured industry that is evaluating Office365 and requires to limit access to only corporate-owned Win10 devices, but it is not implementing Endpoint Management nor is interested in enrolling the devices to evaluate compliancy. By synchronizing the devices using AzureAD Connect and automatically joining the devices as Hybrid AzureAD we can accomplish their specific requirement.
Please note that Device state and filters for devices cannot be used together in Conditional Access policy.
Hope you like this policy as much as I do.
Until next time !