Under conditional access policies, it is possible to block individual device platforms. In general, it is a good idea to eliminate all ways that a potential threat actor could use to compromise the environment. In other words, block everything that is not needed.

This also applies to device platforms within Microsoft Entra ID. For example, if your organization only uses Windows, iOS, and Android, it’s a good idea to disable all other platforms. If you also use macOS, you need to add macOS as well, of course.

What I would definitely recommend blocking is Windows Phone and other unknown platforms. Unrecognized / unknown platforms are usually spoofed User Agents, which is mainly used by threat actors.

Under Conditional Access policies, create a new policy to target all cloud applications and all users except the Break-Glass account.

Under Conditions, select Include – Any Device and under Exclude, select the device platforms you want to be allowed. This setting is very important and can be confusing for some. This is because the goal of this policy is to block anything that is not explicitly enabled. Therefore, Include is Any Device (we block everything) and Exclude is the platforms we want to be allowed, so we block everything except the selected platforms defined within Exclude.

In Access Control choose Block Access. So we’ve blocked anything that doesn’t match the explicitly selected platform within the Exclude definition.