49. How to Use Filters for Devices as Condition in Conditional Access Policy

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone welcome to msfty webcast in this video we are going to see the steps on how to use filters for devices as condition in conditional access policy with InTune when creating conditional access policies administrators can now use filters to Target or exclude specific devices in their environment filters for devices are great method for filtering devices based on Azure ID device properties in the last video we have used a device State option while creating the conditional access policy by using filters for devices it is possible to not only filter devices based on the device state but also on 10 plus other device properties those device properties enable the it administrator to specifically include or exclude devices based on the value of those properties so we can Target specific devices using supported operators and properties for device filters and the other available assignment conditions in our conditional access policies filters for devices are not reusable and are configured and used per conditional access policy when configuring and using filters for devices it is important to keep in mind that those filters are based on Azure ready device properties there are multiple scenarios that organizations can now enable using filter for devices condition like you want to block access to organization resources from devices running an unsupported operating system for this example let's say you want to block access to Microsoft Azure management from Windows OS version older than Windows 10 22 H2 for the scenario we want to create a new conditional access policy with filters for devices let's see how we can do that first of all we need to sign into Microsoft endpoint manager admin Center as a global administrator we can access Microsoft endpoint manager using the URL https endpoint.microsoft.com on home page click on devices click on all devices we have two test Windows 10 devices lab wind and hyphen cli01 is running on Windows 10 20 H1 we can see the OS version is 19043 and lab wind and hyphen cli02 is running on Windows 10 22 H2 we can see the OS version is 19045 we will taste a conditional access policy with these windows 10 devices click on groups we have created one test group with the name test users let's click on a test users under manage click on members we can see test user one test user 2 and test user 3 are added as a member of this test group click on endpoint security under manage click on conditional access we will be on policies page click on new policy plus icon type a meaningful name for this conditional access policy we will give name taste conditional access policy with filter for devices under assignment click on zero uses and groups selected link to configure the identities in the directory that the policy applies to on the include tab configure the user and groups you want to include choose select users and group options to select artist group select the checkbox in front of users and groups from the list select user or group we will select artist user group name test users click on select next select Cloud apps or action which is also under assignments click on this link make sure that this policy applies to Cloud apps on the include tab we will choose select apps option under select click on none link select Microsoft Azure management app from the list click on select we can see one warning which we can ignore in this test policy next configure conditions click on zero conditions selected link and finally on the conditions we can see filter for devices we will click on this link and set configure to yes let me toggle the switch to yes make sure that device is matching the rule is set to exclude filtered devices from policy then for the rule we will select operating system version property type let me click on this drop down arrow and select operating system version operator will be starts with and set the value to 10.0.19045 we can see the rule Syntax for our filter for devices once your filter is ready click on done under access controls select Grant click on zero control selected link this time we will select block access click on select so as per requirement we have configured this conditional access policy now confirm your settings and set enable policy to on select create to create and enable the policy wait for the confirmation message we can see the message successfully created test conditional access policy with filter for devices so we have successfully created the conditional access policy which field is for devices with the policy in place we will try to access Microsoft Azure management portal on our both Windows 10 devices this will take some time to apply the conditional access policy on artistic devices to see the result quickly you can manually perform the sync with InTune or restart the devices and check the result so I'll stop the recording perform manual sync and restart the device and after that I'll resume the recording okay we are on our test Windows 10 device this is lab wind and hyphen cli01 device let's check the OS version go to run type Winword command and press enter key we can see the OS version is 21 H1 on this device I have login using the credentials of our Azure ad user name test user 2. let me show you that it is test user 2. this user is a member of our test group test users for which we have configured the conditional access policy open Microsoft Edge web browser type URL portal.azure.com and press enter key to access Azure management portal we can see we are getting message you cannot access this right now so our user test user 2 is not able to access Azure management portal on this device because this Windows 10 device is running on OS version 21 H1 and according to our conditional access policy it will only Grant access to Azure management portal if the device OS version is 22 H2 so that's why we are not able to access Azure management portal on this Windows 10 device let's go to a lab Winden hyphen cli02 device this is our lab vintan hyphen cli02 device let's check the OS version go to run and type winwork command press enter key we can see the OS version is 22 H2 on this device I have login using the credential of our Azure active directory user name a test user1 this user is a member of our test group test users for which we have configured the conditional access policy let's try to access Azure management portal on this device open Microsoft Edge web browser type URL portal Dot azure.com and press enter key to access Azure management portal this time we can successfully access the Azure management portal as this Windows 10 device is running on 22 H2 OS version you can also check the conditional access sign in logs using Microsoft endpoint manager admin Center so user is successfully able to access Microsoft Azure portal that means a conditional access policy with filter for devices is working perfectly fine in our test environment let's go back to Microsoft endpoint manager admin Center under monitoring click on sign in logs click on refresh to see the updated logs okay here we can see we have a one log entry for application Azure portal with status failure last click on this log entry with the status failure click on conditional access tab we can see the policy name with Grant controls which is Block in our case click on policy name we can see the policy name is there test conditional access policy with filter for devices here are the conditional access details for the user signed in under assignments we can see user match application match but device condition does not match and that's why user was not able to access Azure management portal and that we can see here it doesn't match so this is how you can check sign in logs in Microsoft and point manager admin Center that's all for this video on how to use filters for devices as condition in conditional access policy with InTune thank you all for watching this video have a nice day

Info

Channel: MSFT WebCast

Views: 2,354

Rating: undefined out of 5

Keywords: azure, conditional access, security, intune tutorial, intune tutorial beginners, microsoft intune tutorial, microsoft intune for beginners, mdm, intune, Filters in Conditional Access policy, Use device filters for conditional access policies, device filter conditional access, Filter for devices in Azure AD, Device filters Intune, Create filters in Microsoft Intune, Azure AD Conditional Access policy, azure tutorial for beginners, microsoft azure, azure active directory, ms intune

Id: zBCzlCflrYs

Channel Id: undefined

Length: 13min 15sec (795 seconds)

Published: Wed Apr 19 2023