Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

howto-policy-persistent-browser-session.md device exclusion context seems inaccurate/unhelpful #124429

Open
Sensible-matthew opened this issue Sep 16, 2024 · 2 comments
Open

howto-policy-persistent-browser-session.md device exclusion context seems inaccurate/unhelpful #124429

Sensible-matthew opened this issue Sep 16, 2024 · 2 comments
Assignees
@MicrosoftGuyJFlo
Labels
assigned-to-author doc-enhancement entra-id/svc Pri3 triaged

Comments

@Sensible-matthew
Copy link

Sensible-matthew commented Sep 16, 2024
edited by TPavanBalaji
Loading

https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-policy-persistent-browser-session
This guide indicates you should use "Devices matching the rule" for "Include filtered devices in policy" with the filter "device.trustType -ne "ServerAD" -or device.isCompliant -ne True". I believe the justification is that if it is a Hybrid device, it was intentionally joined to the tenancy and it's compliance doesn't matter or if it is Entra joined, then it's compliance does matter (as this is more likely to be abused by bad actors or may indicate a device that is not fully corporate owned).

However, when evaluating conditional access using these settings we get some odd results:
If the device is Hybrid joined and compliant it is excluded. (good)
If the device is Hybrid joined and not compliant it is included. (okay)
If the device is Entra joined and compliant it is included. (bad)
If the device is Entra joined and not compliant it is included. (good)

Instead, the filter should possibly be "Include filtered devices in policy" with the filter "device.trustType -ne "ServerAD" -and device.isCompliant -ne True".
This means the results are:
If the device is Hybrid joined and compliant it is excluded. (good)
If the device is Hybrid joined and not compliant it is excluded. (okay)
If the device is Entra joined and compliant it is excluded. (good)
If the device is Entra joined and not compliant it is included. (good)

Or alternately the filter should possibly be "Exclude filtered devices in policy" with the filter "device.trustType -eq "ServerAD" -or device.isCompliant -eq True".
This means the results are:
If the device is Hybrid joined and compliant it is excluded. (good)
If the device is Hybrid joined and not compliant it is excluded. (okay)
If the device is Entra joined and compliant it is excluded. (good)
If the device is Entra joined and not compliant it is included. (good)

ms.service: entra-id
ms.subservice: conditional-access
ms.topic: how-to
ms.author: @joflore
author: @MicrosoftGuyJFlo
manager: amycolannino
ms.reviewer: lhuangnorth
@Naveenommi-MSFT
Copy link
Contributor

@Sensible-matthew
Thanks for your feedback! We will investigate and update as appropriate.

@TPavanBalaji
Copy link
Contributor

@Sensible-matthew
Thank you for bringing this to our attention.
I've delegated this to content author, who will review it and offer their insightful opinions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MicrosoftGuyJFlo MicrosoftGuyJFlo

Labels
assigned-to-author doc-enhancement entra-id/svc Pri3 triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@MicrosoftGuyJFlo @Sensible-matthew @Naveenommi-MSFT @TPavanBalaji