MicrosoftDocs/azure-docs

howto-policy-persistent-browser-session.md device exclusion context seems inaccurate/unhelpful

Opened this issue · 2 comments

Sensible-matthew commented

https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-policy-persistent-browser-session
This guide indicates you should use "Devices matching the rule" for "Include filtered devices in policy" with the filter "device.trustType -ne "ServerAD" -or device.isCompliant -ne True". I believe the justification is that if it is a Hybrid device, it was intentionally joined to the tenancy and it's compliance doesn't matter or if it is Entra joined, then it's compliance does matter (as this is more likely to be abused by bad actors or may indicate a device that is not fully corporate owned).

However, when evaluating conditional access using these settings we get some odd results:
If the device is Hybrid joined and compliant it is excluded. (good)
If the device is Hybrid joined and not compliant it is included. (okay)
If the device is Entra joined and compliant it is included. (bad)
If the device is Entra joined and not compliant it is included. (good)

Instead, the filter should possibly be "Include filtered devices in policy" with the filter "device.trustType -ne "ServerAD" -and device.isCompliant -ne True".
This means the results are:
If the device is Hybrid joined and compliant it is excluded. (good)
If the device is Hybrid joined and not compliant it is excluded. (okay)
If the device is Entra joined and compliant it is excluded. (good)
If the device is Entra joined and not compliant it is included. (good)

Or alternately the filter should possibly be "Exclude filtered devices in policy" with the filter "device.trustType -eq "ServerAD" -or device.isCompliant -eq True".
This means the results are:
If the device is Hybrid joined and compliant it is excluded. (good)
If the device is Hybrid joined and not compliant it is excluded. (okay)
If the device is Entra joined and compliant it is excluded. (good)
If the device is Entra joined and not compliant it is included. (good)

ms.service: entra-id
ms.subservice: conditional-access
ms.topic: how-to
ms.author: @joflore
author: @MicrosoftGuyJFlo
manager: amycolannino
ms.reviewer: lhuangnorth

Naveenommi-MSFT commented

@Sensible-matthew
Thanks for your feedback! We will investigate and update as appropriate.

TPavanBalaji commented

@Sensible-matthew
Thank you for bringing this to our attention.
I've delegated this to content author, who will review it and offer their insightful opinions.