How to Create a Condition Access to Exclude AAD join Device Without asking MFA or Identification


Hi All,

Hello Dears, How to create a condition access to exclude AAD join Devices , to not ask for users for MFA or identifications.

Posted by Anonymous member in HTMD FB Group

AAD - HTMD Forum - Welcome to the world of Device Management! This is community build by Device Management Admins for Device Management Admins❤️ Ask your questions!! We are here to help you! - How to Create a Condition Access to Exclude AAD join Device Without asking MFA or Identification


Answers ( 4 )


    Replied by Joakim Hellström

    And why should they be excluded? There accounts are not less exposed then others. Do MFA for everyone, everywhere.

    Replied by Steven McKenzie

    Exactly like everyone else said
    Also do this for best practice


    Replied by Joakim Hellström

    Zubair Syed NO

    Replied by Zubair Syed

    Why? any reason?

    Replied by Sanjay Mittal

    By default, once the PC is AAD joined, it does not ask for MFA once authenticated in any desktop app if pushed by intune. Create a breakglass account or exclude one account. Do not disable location-based or IP-based MFA. One compromised device can cause damage.


    Replied by Pierre Dalla

    You have to use conditional Access rules. Don’t forget to Always exclude administrators just in case. Use a rules to require MFA but make an exclude for hybrid join computer, this is better than a safe location in case the user working from remote and thus get a different public id

    Replied by Joakim Hellström

    Pierre Dalla Don’t exclude admins. The should always use MFA. Setup 2 break glass accounts, put them in a group and exclude that one.

    Replied by Zubair Syed

    create trusted location and apply policy to not challenge MFA instead of excluding AAD devices


    More detiles Restore Deleted AAD User from Azure Active Directory Portal

    Replied by Christian Arenfeldt Løth

    Don’t do it. Setup trusted locations instead and require compliant status, that way you don’t get asked for MFA while in the office but still need MFA if you are outside the office.

    Replied by Joakim Hellström

    Christian Arenfeldt Løth Don’t do that. If someone get access to the network you have zero security.

    Replied by Zubair Syed

    Christian Arenfeldt Løth if someone gets into your Network then what’s the point of security?

Leave an answer

Sorry, you do not have permission to answer to this question .