Conditional Access - Block unknown or unsupported device platform
PreviousConditional Access Manage named locations and IP rangesNextMicrosoft Entra conditional access: block access by location
Last updated
Last updated
Sign in to Microsoft Entra Admin Center
Navigate to Protection → Conditional Access.
Click + New policy.
Name the Policy
Give the policy a name, e.g., "Block Unsupported Windows Devices".
Assignments → Users
Select All Users (or specific groups/users if necessary).
Assignments → Cloud Apps or Actions
Select All cloud apps (or choose specific apps you want to protect).
Assignments → Conditions
Under Device platforms, select Windows.
Under Device filters, enable Filter for devices and configure:
Property: device.operatingSystem
Operator: contains
Value: Windows 7 (also add Windows XP if needed).
Access Controls → Grant
Select Block access.
Enable Policy
Set the Enable policy option to On.
Click Create to enforce the policy.
This Conditional Access Policy would block:
All Windows 7 Devices – Any user trying to sign in from a Windows 7 device will be denied access.
Older Windows Versions – If you extend the filter (Windows XP, Windows 8), those will also be blocked.
Any App Targeted by the Policy – If you applied it to all cloud apps, it will block access to services like:
Microsoft 365 Apps (Outlook, Teams, SharePoint, OneDrive)
Azure Virtual Desktop
Other Entra ID-protected services
Devices Not Enrolled in Entra ID: If the device isn't registered, it may not be evaluated properly.
Users with Exemptions: If you exclude users (e.g., admins), they won’t be affected.
Personal Devices (If Not Registered): Unless you're enforcing device registration, unmanaged personal devices might bypass this.