Conditional Access - Block unknown or unsupported device platform

Block Generic Devices Like Windows, Linux, Mac

Block unsupported platforms with Conditional Access - Microsoft Entra IDMicrosoftLearn

Block Device OS type like Window 7, XP ...

1. Sign in to Microsoft Entra Admin Center

   • Navigate to Protection → Conditional Access.

   • Click + New policy.

2. Name the Policy

   • Give the policy a name, e.g., "Block Unsupported Windows Devices".

3. Assignments → Users

   • Select All Users (or specific groups/users if necessary).

4. Assignments → Cloud Apps or Actions

   • Select All cloud apps (or choose specific apps you want to protect).

5. Assignments → Conditions

   • Under Device platforms, select Windows.

   • Under Device filters, enable Filter for devices and configure:

     • Property: device.operatingSystem

     • Operator: contains

     • Value: Windows 7 (also add Windows XP if needed).

6. Access Controls → Grant

   • Select Block access.

7. Enable Policy

   • Set the Enable policy option to On.

   • Click Create to enforce the policy.

This Conditional Access Policy would block:

1. All Windows 7 Devices – Any user trying to sign in from a Windows 7 device will be denied access.

2. Older Windows Versions – If you extend the filter (Windows XP, Windows 8), those will also be blocked.

3. Any App Targeted by the Policy – If you applied it to all cloud apps, it will block access to services like:

   • Microsoft 365 Apps (Outlook, Teams, SharePoint, OneDrive)

   • Azure Virtual Desktop

   • Other Entra ID-protected services

What It Won’t Block

• Devices Not Enrolled in Entra ID: If the device isn't registered, it may not be evaluated properly.

• Users with Exemptions: If you exclude users (e.g., admins), they won’t be affected.

• Personal Devices (If Not Registered): Unless you're enforcing device registration, unmanaged personal devices might bypass this.