Microsoft Entra ID Conditional Access - Block Personal Windows Devices

Client Requirement: We want to prevent personally owned Computer devices from accessing tenant resources but allow mobile devices.

Let's create our policy the right way!

Portal.azure.com > Microsoft Entra Conditional Access>Policies>New Policy

Name: "Give your policy a suitable name"

Users: Target all users or a group.

Target resources: I am choosing "all cloud apps"

Here I am looking to block only computers and allow mobile phones. Hence only selecting windows,macOS and Linux and leaving out mobile phones.

Next is the crucial part: Filter for devices

What I am going to do is Block everything except Entra/Hybrid Joined devices.

In the Exclude filter I am excluding these devices from our block policy. The "Trust type "

property is at work here!

Next, under grant we just need to block the connections under this policy and turn it on. East Peasy!

There you go Mr. Client!