Skip to content

Latest commit

 

History

History
53 lines (41 loc) · 2.75 KB

howto-policy-unknown-unsupported-device.md

File metadata and controls

53 lines (41 loc) · 2.75 KB
Raw
title description ms.service ms.subservice ms.topic ms.date ms.author author manager ms.reviewer
Block unsupported platforms with Conditional Access
Create a custom Conditional Access policy blocking unsupported platforms.
entra-id
conditional-access
how-to
06/27/2024
joflore
MicrosoftGuyJFlo
amycolannino
lhuangnorth

Common Conditional Access policy: Block access for unknown or unsupported device platform

Users are blocked from accessing company resources when the device type is unknown or unsupported.

The device platform condition is based on user agent strings. Conditional Access policies using it should be used with another policy, like one requiring device compliance or app protection policies.

User exclusions

[!INCLUDE active-directory-policy-exclusions]

[!INCLUDE active-directory-policy-deploy-template]

Create a Conditional Access policy

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
  2. Browse to Protection > Conditional Access > Policies.
  3. Select New policy.
  4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
  5. Under Assignments, select Users or workload identities.
    1. Under Include, select All users
    2. Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
  6. Under Target resources > Cloud apps > Include, select All cloud apps.
  7. Under Conditions, select Device platforms
    1. Set Configure to Yes.
    2. Under Include, select Any device
    3. Under Exclude, select Android, iOS, Windows, and macOS.

      [!NOTE] For the exclusion select any platforms that your organization knowingly uses, and leave the others unselected.

    4. Select, Done.
  8. Under Access controls > Grant, select Block access, then select Select.
  9. Confirm your settings and set Enable policy to Report-only.
  10. Select Create to create to enable your policy.

After administrators confirm the settings using report-only mode, they can move the Enable policy toggle from Report-only to On.

Next steps

Conditional Access templates

Use report-only mode for Conditional Access to determine the results of new policy decisions.