Microsoft have announced that they will be deprecating one of the current conditions within Conditional Access policies. The condition that is going to be removed is “Device State”, a setting that was still in preview.
This condition offered the ability to exclude Hybrid Azure AD Join and Compliant devices from the policy. If you are currently using this setting and have not updated your policies when this condition is removed, you may find that policies that previously were bypassed for managed devices, are now being triggered. This could have a major impact your Conditional Access policies and on the end-user experience when accessing the services within your tenant.
Do not worry, there is a way to configure the same functionality within conditions, but you will need to use “Filter for Devices”.
“Filter for Devices” provides more granularity than “Device state” could offer and so will also allow you to create some very specific device conditions within your Conditional Access policies. One example, that we have seen is to capture the IDs for your administrators devices, create a Conditional Access policy that only allows your administrator accounts to connect from these devices (excluding your break glass account of course).