So I had this idea that I thought would be possible but as I'm testing it seems not work. I wonder if anyone here has any ideas on getting this working?

Objective: I want to require Compliant device (thus requiring intune) from conditional access, but allow users on a list to optionally use their personal computers to connect to an AVD who is intune compliant already.

The Conditional Access policy in play is one against all users who requires 'all cloud apps' and 'all devices' to be compliant. In testing, when I attempt to sign into the Remote Desktop App with my targeted account I see the login comes from AppID: a85cf173-4192-42f8-81fa-777a763e6e2c "Azure Virtual Desktop" - however this isn't an option when I click on "Excluded Apps" in the conditional access policy.

Is it possible to exempt any conditional access policy based on the application ID being reported in the sign-in logs?

CodePudding user response：

I am not certain but have you tried to exclude Azure Virtual Desktop (9cdead84-a844-4324-93f2-b2e6bb768d07)? Microsoft sometimes have child applications under the parent parent application. Azure CAP is critical, so be sure to validate!

CodePudding user response：

I wound up needing five different permissions: Azure Virtual Desktop 9cdead84-a844-4324-93f2-b2e6bb768d07

Azure Windows VM Sign-In 372140e0-b3b7-4226-8ef9-d57986796201

Microsoft Remote Desktop a4a365df-50f1-4397-bc59-1a1564b8bb9c

Windows Virtual Desktop AME 5a0aa725-4958-4b0c-80a9-34562e23f3b7

Windows Virtual Desktop Client fa4345a4-a730-4230-84a8-7d9651b86739