How to Use Device Filters in Conditional Access Policy Conditions

Device filters in Conditional Access help you decide which devices can access your company apps and data. Instead of treating all devices the same, you can make rules that apply only to certain devices.

This makes security better and helps trusted devices work without extra checks.

Here are some quick benefits of using device filters in Conditional Access policy conditions:

• Keep your company safer by focusing on risky or personal devices
• Make it easier for trusted devices to connect without trouble
• Control who can use your apps based on the device they use

In this guide, we’ll show you how to set up device filters in Conditional Access and use Microsoft Entra device filters to protect your business the smart way.

Device filters help you choose exactly which devices the rules should apply to - not just whether a device is compliant or not.

• You can pick certain devices to control, like only phones or only Windows computers.
• This works even if the device isn’t managed by your company’s Intune system.
• It saves time because you don’t have to make lots of different rules for every device - one filter can cover exactly what you need.

Using device filters in Conditional Access helps keep things safe and easy to manage.

When you create device filters in Conditional Access, you tell the system which devices to include or exclude based on certain details about those devices. These details are called device attributes.

This section lists important device attributes you can check and the ways (called operators) you can use to match those attributes in your filters. Using these, you can make very precise rules to control access to your company resources.

Here are some key device attributes you can use:

Operators you can use:

• Equals: Matches exactly
• Contains: Attribute includes the value anywhere
• StartsWith: Attribute begins with the value

You can use these attributes and operators to create filters like:

• Devices with operatingSystem Equals “Windows”
• Devices where deviceOwnership Equals “Personal”
• Devices made by deviceManufacturer Equals “Apple”

You can also add extension attributes to filter on extra information unique to your company.

Check out Microsoft Documentation for the reference

Setting up device filters in Conditional Access is easier than you think. Follow these simple steps to get started:

1.  Go to the Microsoft Entra portal (entra.microsoft.com) and log in with your admin account.
2. In the left-hand menu, select Entra ID > Conditional Access.
3. Click + Create New policy to start a new Conditional Access policy.

4. Give it a clear and meaningful name like “Device Filter Policy.”

5. Under Assignments, select Users or workload identities
   • Under Include, select Directory roles, users or groups the policy covers.

1. • Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.

6. Pick the apps this policy should protect (like Microsoft 365 apps).

7. Under Conditions, Filter for devices.

• Toggle Configure to
• Set Devices matching the rule to Exclude filtered devices from policy.
• Add filter rules using device attributes like operatingSystem, deviceTrustType, or deviceOwnership.
• Use operators like Equals, Contains, or StartsWith to define your filter.
• Select Done.

8. Set Access Controls: Decide what happens when a device matches your filter - like requiring MFA or blocking access.

9. Turn On the Policy Set the policy state to On and click Create to save it.

10. Test Your Policy Test with a small group to make sure your device filters work as expected without blocking trusted users.

Device filters in Conditional Access policies give you powerful, fine-grained control beyond just marking devices as “compliant” or “not compliant.”

• You can target specific devices by things like operating system version, device model, or even custom tags your organization adds.
• This helps with special cases like giving high security for admins or handling BYOD (Bring Your Own Device) safely.
• Device filters let you enforce zero-trust security by making sure only the right devices get access to important resources.

• With this flexibility comes complexity. You have to write filter rules carefully to avoid accidentally blocking good devices or allowing risky ones.
• These filters need regular updates and maintenance as your device inventory changes.
• There’s a learning curve - many admins find it tricky at first and wish the feature was easier to set up.
• Testing is very important. Without thorough tests, you might run into problems with users being blocked or policies not working as expected.
• Conditional Access policies are often used to secure access to privileged roles. Implementing Privileged Identity Management (PIM) is the next step after Conditional Access, ensuring those roles are not permanently active.

Using device filters well means balancing great control with careful planning and ongoing review.

Sometimes, your device filters in Conditional Access might not work as expected. Here are some common reasons why:

• Unregistered Devices: Devices not registered in Entra ID or not reporting device details can be missed by filters.
• Case Sensitivity: Filters are case sensitive, so “Windows” is different from “windows.” Make sure you use the exact casing.
• Syntax Errors: Small mistakes in writing filter rules can stop them from working properly.

To find out what’s going wrong, use these tools:

• Entra ID Sign-in Logs: Check these logs to see which devices tried to sign in and whether they matched your filters.
• ‘What If’ Tool: This tool lets you simulate how your Conditional Access policies work before applying them. It shows if your filters will include or exclude devices.

Testing and troubleshooting helps you get the most from your device filters in Conditional Access policies without causing issues for your users.

To make the most of device filters in Conditional Access, follow these easy tips:

• Keep your filters simple and clear. Write down what each filter does so you and your team remember why it’s there.
• Use operators like Equals, Contains, and StartsWith carefully. This helps avoid accidentally including or excluding the wrong devices.
• Audit your filters regularly. Remove old or unused filters to keep your policies clean and effective.
• Combine device filters with device compliance policies. This layered security approach gives you stronger protection.
• Another layer of protection you can align with device filters is enforcing session timeout policies, ensuring users are automatically signed out after inactivity.
• You can combine Conditional Access with passwordless authentication to create a seamless, phishing-resistant sign-in experience in Microsoft 365.

Following these best practices will help your Conditional Access policy conditions work smoothly and keep your company secure.

• Microsoft Solutions Partner: Recognized for excellence in Data & AI, Modern Work, and Digital App Innovation.
• Certified Experts: Our team holds Microsoft certifications in security, identity, and cloud, with hands-on experience in Conditional Access and device filters.
• Proven Results: We’ve delivered secure authentication and access solutions for thousands of users across diverse industries.
• End-to-End Support: From assessment to deployment and ongoing optimization, we guide you every step of the way.

Ready to secure your Microsoft 365 environment with device filters and Conditional Access?
Schedule a free consultation today and let our experts design the right solution for your organization.

Device filters in Conditional Access help you control who can access your company’s apps and data based on their devices. This keeps your environment secure without slowing down trusted users.

1. What are device filters in Conditional Access?
   Device filters let you create rules that apply only to certain devices based on details like operating system, device ownership, or trust type.
2. What does it mean to filter devices?
   Filtering devices means setting rules that include or exclude devices based on specific attributes, so you control who can access your apps and data more precisely.
3. Can Conditional Access policies be applied to devices?
   Yes. Conditional Access policies can target devices using filters, allowing you to control access based on device details like compliance or ownership.
4. What is device filter mode?
   Device filter mode decides if the policy includes or excludes devices matching the filter rules. You can choose to apply rules only to devices that meet your filter or exclude them.
5. What is a compliant device in Conditional Access?
   A compliant device follows your company’s security rules, usually managed through Intune or another device management system.
6. What operator is not always reliable when creating a device filter in Conditional Access for Microsoft Teams rooms on Android devices?
   The Contains operator can sometimes cause unexpected results with specific devices, so always test your filters carefully.
7. How do I create a filter in Intune?
   You create device filters in Microsoft Entra Conditional Access by using device attributes and operators like Equals, Contains, and StartsWith to build your rules.
8. What happens when multiple Conditional Access policies apply?
   If more than one policy applies, all must be satisfied for access to be granted. This means filters and rules combine to control access.
9. How can I test if my device filters are working?
   Use the Entra ID ‘What If’ tool and sign-in logs to see how your filters work before enforcing them. Testing in Report-Only mode helps avoid blocking users accidentally.
10. How often should I review my device filters?
    Regularly audit and clean up your filters to remove outdated or unused ones, keeping your policies effective and up to date.
11. Can I combine device filters with compliance policies?
    Yes, combining filters with device compliance policies gives you layered security, making your Conditional Access policies stronger.