This article provides a guide on how to filter Azure Active Directory (AD) joined devices when setting up sign-on rules in an Office 365 app. This feature can be particularly helpful for granting or restricting access to Office 365 resources for specific devices, depending on their security status or the level of support offered.
- Azure AD-joined devices
- Okta Identity Engine (OIE)
- Office 365
Organizations may need to allow or deny access to Office 365 resources based on the device's status with Azure AD. This can be part of a broader device management strategy or used to restrict access from certain clients that the organization does not support or trust.
-
On the Okta Admin console, navigate to Applications > Applications and find the Office 365 app integration, then select the Sign On tab.
-
Under the section User authentication > Authentication policy, click on View policy details. Alternatively, this section can be reached by following this path: Security > Authentication Policies > Microsoft Office 365 > Add Rule.
-
Edit the rule by selecting the Action dropdown menu and going to Edit.
-
Go to the If section, then click on And The following custom expression is true.
-
Enter the following expression:
request.userAgent.contains("WinWord") OR request.userAgent.contains("Windows-AzureAD-Authentication-Provider")
This expression filters for clients that are identified as Azure AD-joined devices.
