Hey everyone! I'm looking for some guidance on setting up a conditional access policy that requires devices to be registered in order for users to log in. The catch is, we have a few shared devices that are registered to specific users, and I want to exclude these from the policy so that everyone can still access them without issues.
The problem I'm facing is that if a non-registered user tries to sign into one of these Windows devices, the 365 sign-in tokens they receive aren't enriched with the necessary info they need.
To give you some more context:
1. These devices are Active Directory (AD)-joined but since the sign-in token shows the user's AD SID and not the Device SID, it complicates the process.
2. The device filtering parameters I'm looking at all seem to require that token enrichment available to registered users. Thus, a non-registered user only has a fingerprint entry available, which doesn't let me filter by hardware ID despite them being identical across registrations on that device.
3. Even though the devices are AD-joined, we aren't doing hybrid joins currently, and I'm unsure why this is the case. It's rumored there's a mismatch with the domain setup that prevents us from doing so.
Any thoughts on how I can tackle this? I'm also exploring whether enrolling them in Intune is feasible without needing a license for every user, since I've heard those tokens are scoped by computer instead of user. Looking forward to your insights!
1 Answer
If you can resolve your hybrid join issues, it could simplify this whole situation. Without hybrid joins, your options are pretty limited for excluding devices in Conditional Access. It's usually just a matter of a few clicks in the Connect setup to get that hybrid join working right. In the long run, that could save you a lot of headaches!
Totally agree! Fixing that hybrid issue would make life much easier. But it's a shame you have directives against it. Sometimes these domain mismatches can be a real nightmare.