Conditional Access block specific device
Some time ago there was a use case to block some selected devices that are Azure AD joined from company resource access. Of course we think of a Conditional Access control policy. But what if you cant identify the(se) device(s) through any condition? Well here is a short solution for this.
Note that the restriction does not necessary need to block, but generally apply Conditional Access.
Potential use cases: Kiosk devices, privileged access workstations (PAW), special machines
Components
- Azure AD device extension attributes
- Filter for devices as a condition in Conditional Access
Add extension attributes to an Azure AD device object
- Look up the Object ID of the desired device in Azure AD
2. Open Graph Explorer and set:
- The HTTP method PATCH
- Resource URL https://graph.microsoft.com/v1.0/devices/<Object ID>/
- Request body
{
"extensionAttributes": {
"extensionAttribute10": "<yourCustomAttribute"
}
}- Also make sure you have enough privileges to modify an AAD device object and the consent is given to Graph Explorer
You can verify with a GET method to the same resource URL
Also in Azure AD (it can take a few minutes):
Use extension attributes in a Conditional Access policy
Now in your Conditional Access policy, specify the Conditions>Filter for devices, configure yes and Include filtered devices in policy
Choose your Access control (in this case block). Don’t forget to configure the Assignments and Cloud apps or actions in the policy.
Result
Here you see two different Windows machines, one is covered by the CA policy through its extension attribute, the other not:
