An Azure AD Conditional Access Policy for Internals that blocks unknown or unsupported devices.

Suggested name:
CA2{XX}-Internals-AttackSurfaceReduction-AllApps-UnknownDevices-Block

Assignments

Users

Users and groups  
Include users CA-Persona-Internals
Exclude users Break-glass (emergency access) accounts

Cloud apps or actions

Cloud apps  
Include All cloud apps

Conditions

Device platforms  
Include Any device
Exclude
  • Android
  • iOS
  • Windows
  • macOS
  • Linux
  • Windows Phone

Access controls

Block Access
No additional control selection

References

https://learn.microsoft.com/en-us/azure/architecture/guide/security/conditional-access-architecture https://learn.microsoft.com/en-us/azure/architecture/guide/security/conditional-access-framework https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common