Conditional Access - Block unknown or unsupported device platform

Sign in to Microsoft Entra Admin Center
- Navigate to Protection → Conditional Access.
- Click + New policy.
Name the Policy
- Give the policy a name, e.g., "Block Unsupported Windows Devices".
Assignments → Users
- Select All Users (or specific groups/users if necessary).
Assignments → Cloud Apps or Actions
- Select All cloud apps (or choose specific apps you want to protect).
Assignments → Conditions
- Under Device platforms, select Windows.
- Under Device filters, enable Filter for devices and configure:
  - Property: device.operatingSystem
  - Operator: contains
  - Value: Windows 7 (also add Windows XP if needed).
Access Controls → Grant
- Select Block access.
Enable Policy
- Set the Enable policy option to On.
- Click Create to enforce the policy.

This Conditional Access Policy would block:

All Windows 7 Devices – Any user trying to sign in from a Windows 7 device will be denied access.
Older Windows Versions – If you extend the filter (Windows XP, Windows 8), those will also be blocked.
Any App Targeted by the Policy – If you applied it to all cloud apps, it will block access to services like:
- Microsoft 365 Apps (Outlook, Teams, SharePoint, OneDrive)
- Azure Virtual Desktop
- Other Entra ID-protected services

Devices Not Enrolled in Entra ID: If the device isn't registered, it may not be evaluated properly.
Users with Exemptions: If you exclude users (e.g., admins), they won’t be affected.
Personal Devices (If Not Registered): Unless you're enforcing device registration, unmanaged personal devices might bypass this.

Last updated 2 months ago