Kind of obvious in retrospect, but I always thought the Manufacturer and Model info in Entra ID is shown for all devices always.
After all, you can use that in Conditional Access to exclude/ include devices so surely when a device registers with Entra ID this info too is added somehow. Turns out I was wrong. All you get is the display name and OS & OS version, but not these two.
I had spent a lot of time earlier tweaking some of our Conditional Access policies based on the manufacturer property and today realized they weren’t actually working. Bummer.
I couldn’t find this in any documentation by the way, so the above is just my experience. What I did find in a document is that
Devices must be Microsoft Intune managed, compliant, or Microsoft Entra hybrid joined for a value to be available in extensionAttributes1-15 at the time of the Conditional Access policy evaluation.
Which is fine, I sort of expected that. Just was suprised at not seeing model and manufacturer.
Also, good to know:
When building complex rules or using too many individual identifiers like deviceid for device identities, keep in mind “The maximum length for the filter rule is 3072 characters”.
Similarly, if a device is not registered in Entra ID, I don’t expect to see any of its properties. So this point too makes sense, and worth keeping in mind I suppose.
Microsoft Entra ID uses device authentication to evaluate device filter rules. For a device that is unregistered with Microsoft Entra ID, all device properties are considered as null values and the device attributes cannot be determined since the device does not exist in the directory. The best way to target policies for unregistered devices is by using the negative operator since the configured filter rule would apply. If you were to use a positive operator, the filter rule would only apply when a device exists in the directory and the configured rule matches the attribute on the device.