Once upon a time when you select Hybrid Joined for the target of your conditional access policy, the policy also applied to Entra Joined devices. This is no longer the case. Today the policy does only exactly as it says. It applies only to Hybrid joined devices.
What if we want a policy that applies to Entra Joined devices?
It is often the case that we have both Hybrid joined and Entra joined devices. Here’s what you need to do to get the policy to apply to both types of devices today. If you already have a policy configured for hybrid devices, you need to first remove that from the Grant section of your policy.
Then add a Condition of Filter for devices.
The type of filter that you want to use is,
TrustType:
- Example:Â
TrustType -eq "AzureAD"Â for Entra ID joined, orÂ-eq "HybridAzureAD"Â for hybrid.
This will filter the devices for only Entra joined and Hybrid joined devices and apply to the policy to both.
All we do is support IT professionals. Help for IT Pros, M365 admin News, Security community, Mentor-led Mastermind groups, MSP training and more. https://www.thirdtier.net
