Hey folks,
I've set up a Conditional Access policy that blocks access to certain resources like Office 365 and Salesforce. I've also included some trusted networks and devices to allow for smoother access. Currently, I'm using device ID-based exclusions to manage which corporate devices can get in. The problem is that each policy has a cap on how many device IDs I can include, and I'm nearing that limit.
So, my question is: is there a better way to design this access policy without relying on individual device IDs? I want to know the best practices for implementing this model at scale instead. Here's how my current setup looks:
1. **Target Resources:**
- Includes: Microsoft Office 365 and Salesforce
- Excludes: None
2. **Network:**
- Inclusion: Any network/location
- Exclusion: Specific approved IP ranges
3. **Conditions:**
- Device Platforms: Excluding Android and iOS
- Locations: Excluding specific approved IP ranges
4. **Access Controls:**
- Grant Control: Block access unless controlled
Thanks in advance for the advice!
4 Answers
You definitely shouldn't be using device ID exclusions for this. The better approach is to create a device group and then just exclude that group from your access policy. It's way more scalable than individual IDs!
You need to ensure that the group is role assignable. Otherwise, anyone might be able to add devices to it!
Have you thought about using Custom Security Attributes or System Labels? They can help manage device access without hitting those pesky limits.
Thanks for this suggestion! I'll check it out.
Also, what's the status of your devices? Are they hybrid joined or using Entra? That could change how your policy applies.
Nope, we're on Microsoft Platform SSO with Simple MDM.
I'd suggest targeting all cloud apps and excluding Intune enrollment. You can also adjust the filters to exclude devices that aren't compliant to streamline your policy.
But remember, group exclusions only work for users, not devices. That's something to keep in mind.