How to Use Device Filters in Conditional Access Policy Conditions

Learn how to use device filters in Microsoft 365 Conditional Access to secure apps, control access, and simplify management for any device type.
SHARE THIS BLOG:
Table of contents
Why Use Device Filters?
Device Attributes & How to Use Them
How to Set Up Device Filters in Conditional Access
Benefits and Challenges of Device Filters
• Benefits
• Challenges
Troubleshooting Common Issues with Device Filters
Best Practices & Pro Tips
Why Choose Penthara Technologies for Microsoft Security Consulting?
Conclusion
FAQs About Device Filters in Conditional Access

Device filters in Conditional Access help you decide which devices can access your company apps and data. Instead of treating all devices the same, you can make rules that apply only to certain devices.

This makes security better and helps trusted devices work without extra checks.

Here are some quick benefits of using device filters in Conditional Access policy conditions:

  • Keep your company safer by focusing on risky or personal devices
  • Make it easier for trusted devices to connect without trouble
  • Control who can use your apps based on the device they use

In this guide, we’ll show you how to set up device filters in Conditional Access and use Microsoft Entra device filters to protect your business the smart way.

Why Use Device Filters?

Device filters help you choose exactly which devices the rules should apply to - not just whether a device is compliant or not.

  • You can pick certain devices to control, like only phones or only Windows computers.
  • This works even if the device isn’t managed by your company’s Intune system.
  • It saves time because you don’t have to make lots of different rules for every device - one filter can cover exactly what you need.
  • The isCompliant attribute only returns a value for devices managed by Intune - which means enrolling devices in Microsoft Intune first is a hard prerequisite before this filter can do anything meaningful.

Using device filters in Conditional Access helps keep things safe and easy to manage.

Device filters work well alongside IP and location-based Conditional Access rules - together they let you enforce different access behavior based on both what device a user is on and where they're connecting from.

Device Attributes & How to Use Them

When you create device filters in Conditional Access, you tell the system which devices to include or exclude based on certain details about those devices. These details are called device attributes.

This section lists important device attributes you can check and the ways (called operators) you can use to match those attributes in your filters. Using these, you can make very precise rules to control access to your company resources.

Here are some key device attributes you can use:

Attribute What It Means Example Filters
deviceId Unique identifier of the device Equals "12345" or StartsWith "abc"
displayName Display name of the device Contains "Surface" or Equals "John's iPhone"
deviceOwnership Ownership type: Company or Personal Equals "Company" or Equals "Personal"
enrollmentProfileName Name of the Intune enrollment profile used Equals "CorporateProfile" or Contains "BYOD"
isCompliant Compliance status of the device Equals "true" or Equals "false"
manufacturer Device manufacturer Equals "Apple" or Equals "Dell"
mdmAppId ID of the MDM application managing the device Equals "0000000a-0000-0000-c000-000000000000"
model Device model Equals "iPhone 12" or Contains "Surface"
operatingSystem OS name like Windows, iOS, Android Equals "Windows" or Contains "iOS"
operatingSystemVersion OS version StartsWith "10." or Equals "14.4"
physicalIds Hardware identifiers Contains "ABC123" or Equals "XYZ789"
profileType Type of enrollment profile Equals "Autopilot" or Equals "ADE"
systemLabels Labels applied to the device by the system Contains "Corporate" or Equals "Managed"
trustType Trust level of the device Equals "Trusted" or Equals "Unknown"
extensionAttribute1-15 Custom attributes synced from on-prem AD Equals "Sales" or Contains "Remote"

Operators you can use:

  • Equals: Matches exactly
  • Contains: Attribute includes the value anywhere
  • StartsWith: Attribute begins with the value

You can use these attributes and operators to create filters like:

  • Devices with operatingSystem Equals “Windows”
  • Devices where deviceOwnership Equals “Personal”
  • Devices made by deviceManufacturer Equals “Apple”

You can also add extension attributes to filter on extra information unique to your company.

Check out Microsoft Documentation for the reference

How to Set Up Device Filters in Conditional Access

Setting up device filters in Conditional Access is easier than you think. Follow these simple steps to get started:

  1.  Go to the Microsoft Entra portal (entra.microsoft.com) and log in with your admin account.
  2. In the left-hand menu, select Entra ID > Conditional Access.
  3. Click + Create New policy to start a new Conditional Access policy.
Microsoft Entra admin center showing Conditional Access policy with
  1. Give it a clear and meaningful name like “Device Filter Policy.”
Naming a Conditional Access policy in Microsoft Entra admin center.
  1. Under Assignments, select Users or workload identities
    • Under Include, select Directory roles, users or groups the policy covers.
Conditional Access settings page showing the
    • Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
Conditional Access settings page showing the
  1. Pick the apps this policy should protect (like Microsoft 365 apps).
Under Target resources > Resources (formerly cloud apps) > Include > Select resources (like M365 apps) or All resources (formerly ‘All Cloud Apps’).
Conditional Access screen for selecting target resources such as Office 365 apps or “All Cloud Apps.”
  1. Under Conditions, Filter for devices.
  • Toggle Configure to
  • Set Devices matching the rule to Exclude filtered devices from policy.
  • Add filter rules using device attributes like operatingSystem, deviceTrustType, or deviceOwnership.
  • Use operators like Equals, Contains, or StartsWith to define your filter.
  • Select Done.
Conditional Access “Conditions” page showing the “Filter for devices” option to exclude devices where isCompliant set to True.
In the image above, a Device Filter has been configured to exclude devices that are compliant i.e. the policy will apply to Unmanaged (not enrolled In Intune) or Non-Compliant devices
  1. Set Access Controls: Decide what happens when a device matches your filter - like requiring MFA or blocking access.
Under Access controls > Grant, select Grant accessRequire multifactor authentication, and Require device to be marked as compliant, then select Select
Conditional Access “Grant” controls page with “Require multifactor authentication” enabled.
  1. Turn On the Policy Set the policy state to On and click Create to save it.
Applying the Conditional Access policy to all users.
  1. Test Your Policy Test with a small group to make sure your device filters work as expected without blocking trusted users.
This step-by-step guide helps you use Microsoft Entra device filters to control who can access your apps based on their device details.

Benefits and Challenges of Device Filters

Device filters in Conditional Access policies give you powerful, fine-grained control beyond just marking devices as “compliant” or “not compliant.”

Benefits

  • You can target specific devices by things like operating system version, device model, or even custom tags your organization adds.
  • This helps with special cases like giving high security for admins or handling BYOD (Bring Your Own Device) safely.
  • Device filters let you enforce zero-trust security by making sure only the right devices get access to important resources.

Challenges

  • With this flexibility comes complexity. You have to write filter rules carefully to avoid accidentally blocking good devices or allowing risky ones.
  • These filters need regular updates and maintenance as your device inventory changes.
  • There’s a learning curve - many admins find it tricky at first and wish the feature was easier to set up.
  • Testing is very important. Without thorough tests, you might run into problems with users being blocked or policies not working as expected.
  • Conditional Access policies are often used to secure access to privileged roles. Implementing Privileged Identity Management (PIM) is the next step after Conditional Access, ensuring those roles are not permanently active.

Using device filters well means balancing great control with careful planning and ongoing review.

Troubleshooting Common Issues with Device Filters

Sometimes, your device filters in Conditional Access might not work as expected. Here are some common reasons why:

  • Unregistered Devices: Devices not registered in Entra ID or not reporting device details can be missed by filters.
  • Case Sensitivity: Filters are case sensitive, so “Windows” is different from “windows.” Make sure you use the exact casing.
  • Syntax Errors: Small mistakes in writing filter rules can stop them from working properly.

To find out what’s going wrong, use these tools:

  • Entra ID Sign-in Logs: Check these logs to see which devices tried to sign in and whether they matched your filters.
  • ‘What If’ Tool: This tool lets you simulate how your Conditional Access policies work before applying them. It shows if your filters will include or exclude devices.

Testing and troubleshooting helps you get the most from your device filters in Conditional Access policies without causing issues for your users.

Best Practices & Pro Tips:

To make the most of device filters in Conditional Access, follow these easy tips:

  • Keep your filters simple and clear. Write down what each filter does so you and your team remember why it’s there.
  • Use operators like Equals, Contains, and StartsWith carefully. This helps avoid accidentally including or excluding the wrong devices.
  • Audit your filters regularly. Remove old or unused filters to keep your policies clean and effective.
  • Combine device filters with device compliance policies. This layered security approach gives you stronger protection.
  • Another layer of protection you can align with device filters is enforcing session timeout policies, ensuring users are automatically signed out after inactivity.
  • You can combine Conditional Access with passwordless authentication to create a seamless, phishing-resistant sign-in experience in Microsoft 365.
  • Device filters help you identify non-compliant or unrecognized devices — but when a device actually needs to be acted on, knowing the difference between a full wipe vs selective wipe in Intune determines whether you're removing corporate data only or resetting the entire device to factory state.

Following these best practices will help your Conditional Access policy conditions work smoothly and keep your company secure.

Why Choose Penthara Technologies for Microsoft Security Consulting?

  • Microsoft Solutions Partner: Recognized for excellence in Data & AI, Modern Work, and Digital App Innovation.
  • Certified Experts: Our team holds Microsoft certifications in security, identity, and cloud, with hands-on experience in Conditional Access and device filters.
  • Proven Results: We’ve delivered secure authentication and access solutions for thousands of users across diverse industries.
  • End-to-End Support: From assessment to deployment and ongoing optimization, we guide you every step of the way.

Ready to secure your Microsoft 365 environment with device filters and Conditional Access?
Schedule a free consultation today and let our experts design the right solution for your organization.

Conclusion

Device filters in Conditional Access help you control who can access your company’s apps and data based on their devices. This keeps your environment secure without slowing down trusted users.

FAQs About Device Filters in Conditional Access

  1. What are device filters in Conditional Access?
    Device filters let you create rules that apply only to certain devices based on details like operating system, device ownership, or trust type.
  2. What does it mean to filter devices?
    Filtering devices means setting rules that include or exclude devices based on specific attributes, so you control who can access your apps and data more precisely.
  3. Can Conditional Access policies be applied to devices?
    Yes. Conditional Access policies can target devices using filters, allowing you to control access based on device details like compliance or ownership.
  4. What is device filter mode?
    Device filter mode decides if the policy includes or excludes devices matching the filter rules. You can choose to apply rules only to devices that meet your filter or exclude them.
  5. What is a compliant device in Conditional Access?
    A compliant device follows your company’s security rules, usually managed through Intune or another device management system.
  6. What operator is not always reliable when creating a device filter in Conditional Access for Microsoft Teams rooms on Android devices?
    The Contains operator can sometimes cause unexpected results with specific devices, so always test your filters carefully.
  7. How do I create a filter in Intune?
    You create device filters in Microsoft Entra Conditional Access by using device attributes and operators like Equals, Contains, and StartsWith to build your rules.
  8. What happens when multiple Conditional Access policies apply?
    If more than one policy applies, all must be satisfied for access to be granted. This means filters and rules combine to control access.
  9. How can I test if my device filters are working?
    Use the Entra ID ‘What If’ tool and sign-in logs to see how your filters work before enforcing them. Testing in Report-Only mode helps avoid blocking users accidentally.
  10. How often should I review my device filters?
    Regularly audit and clean up your filters to remove outdated or unused ones, keeping your policies effective and up to date.
  11. Can I combine device filters with compliance policies?
    Yes, combining filters with device compliance policies gives you layered security, making your Conditional Access policies stronger.
Jasjit Chopra
Jasjit Chopra

CEO at Penthara Technologies

About the Author

Microsoft MVP LogoLinked-in

Jasjit Chopra is the CEO of Penthara Technologies and a Microsoft Most Valuable Professional (MVP) with over two decades of hands-on experience in Microsoft 365, SharePoint, and Security. He has led 100+ digital transformation projects across six countries, securing 50,000+ users, migrating 250+ TB of data, and automating processes that save organizations thousands of hours each year. A recognized leader at the crossroads of AI, security, and workplace modernization, Jasjit is passionate about simplifying complexity, mentoring technology professionals, and helping businesses build secure, intelligent, and future-ready digital environments.

Leave a Reply

Your email address will not be published. Required fields are marked *

More From This Category

Set Up Device Enrollment in Microsoft Intune – The Right Way - 2026 Guide

Learn how to set up Microsoft Intune device enrollment, choose the right method for Windows, iOS, Android, and macOS, and avoid common setup mistakes.

Read More
Microsoft Entra ID Smart Lockout: Prevent Brute-Force Password Attacks

Learn how Microsoft Entra ID Smart Lockout works, when to configure it, and best practices to prevent brute-force and password spray attacks.

Read More
Full Wipe vs Selective Wipe in Intune: What IT Admins Need to Know

Learn how Intune full wipe and selective wipe work, when to use them, and best practices for secure device management in BYOD and corporate environments.

Read More
1 2 3 11
chevron-right