I'm currently managing a Conditional Access policy that restricts access to certain resources like Office 365 and Salesforce. We have exclusions set up for trusted networks and approved devices. Right now, we exclude devices by listing their Device IDs with the option to 'Exclude filtered devices'. However, there's a limitation on how many device IDs we can include, and we're nearing that limit.
My question is whether using device-ID-based exclusions is the appropriate and supported design for this type of Conditional Access policy. If it isn't, what would be the recommended approach to scale this access model without depending on individual device IDs? Here's a brief overview of our current setup:
1. **Target Resources (Cloud Apps)**: We specifically include Office 365 and Salesforce, with no exclusions.
2. **Network Configuration**: Enabled for any network, excluding some specific IP ranges.
3. **Conditions**: All device platforms included, but excludes Android and iOS.
4. **Access Controls**: We're blocking access and requiring one of the selected controls. Would appreciate any guidance on optimizing this!
5 Answers
Just curious, are your devices hybrid joined or Entra joined? This could affect how you set up your policy.
Using individual device IDs for exclusions is not ideal, especially since you're hitting that limit. Instead, consider creating a group for all approved devices and excluding that group from the access policy. This way, you can manage devices more efficiently without worrying about hitting ID limits. Just remember, group exclusions only apply to users, so double-check if that fits your needs.
Yes, group exclusions are primarily for users, but you can manage devices better this way if setup correctly. Also, when you create the group, ensure it's role assignable to prevent access issues.
I’ve tried the group method before, and it can be tricky if your setup isn't configured right. Just a heads up!
I'd recommend reviewing your approach on cloud app targeting. Excluding Intune enrollment from a broader policy might streamline things. Also, consider using filters for compliance status, like only allowing devices that are compliant to access resources.
You might want to consider targeting all cloud apps instead of limiting to just a few. This could simplify your exclusions and reduce complexity in the policy management.
Another option to explore is using Custom Security Attributes or System Labels. This could help you manage device access without relying solely on device IDs. Just a thought!
Thanks for the tip! I’ll definitely look into Custom Security Attributes.
Nope, we’re using Microsoft Platform SSO with Simple MDM for management.