Conditional Access - Block unknown or unsupported device platform
Block Generic Devices Like Windows, Linux, Mac
Block Device OS type like Window 7, XP ...
Sign in to Microsoft Entra Admin Center
Navigate to Protection → Conditional Access.
Click + New policy.
Name the Policy
Give the policy a name, e.g., "Block Unsupported Windows Devices".
Assignments → Users
Select All Users (or specific groups/users if necessary).
Assignments → Cloud Apps or Actions
Select All cloud apps (or choose specific apps you want to protect).
Assignments → Conditions
Under Device platforms, select Windows.
Under Device filters, enable Filter for devices and configure:
Property:
device.operatingSystem
Operator:
contains
Value:
Windows 7
(also addWindows XP
if needed).
Access Controls → Grant
Select Block access.
Enable Policy
Set the Enable policy option to On.
Click Create to enforce the policy.
This Conditional Access Policy would block:
All Windows 7 Devices – Any user trying to sign in from a Windows 7 device will be denied access.
Older Windows Versions – If you extend the filter (
Windows XP
,Windows 8
), those will also be blocked.Any App Targeted by the Policy – If you applied it to all cloud apps, it will block access to services like:
Microsoft 365 Apps (Outlook, Teams, SharePoint, OneDrive)
Azure Virtual Desktop
Other Entra ID-protected services
What It Won’t Block
Devices Not Enrolled in Entra ID: If the device isn't registered, it may not be evaluated properly.
Users with Exemptions: If you exclude users (e.g., admins), they won’t be affected.
Personal Devices (If Not Registered): Unless you're enforcing device registration, unmanaged personal devices might bypass this.
Last updated