So I had this idea that I thought would be possible but as I’m testing it seems not work. I wonder if anyone here has any ideas on getting this working?
Objective: I want to require Compliant device (thus requiring intune) from conditional access, but allow users on a list to optionally use their personal computers to connect to an AVD who is intune compliant already.
The Conditional Access policy in play is one against all users who requires ‘all cloud apps’ and ‘all devices’ to be compliant. In testing, when I attempt to sign into the Remote Desktop App with my targeted account I see the login comes from AppID: a85cf173-4192-42f8-81fa-777a763e6e2c "Azure Virtual Desktop" – however this isn’t an option when I click on "Excluded Apps" in the conditional access policy.
Is it possible to exempt any conditional access policy based on the application ID being reported in the sign-in logs?
2
Answers
I wound up needing five different permissions:
I am not certain but have you tried to exclude Azure Virtual Desktop (9cdead84-a844-4324-93f2-b2e6bb768d07)? Microsoft sometimes have child applications under the parent parent application. Azure CAP is critical, so be sure to validate!