IBP-MDM-All Apps: [Block Unsupported Device Platforms] for [All Users]

✅ Block all users from accessing any Microsoft cloud application when signing in from unsupported device platforms (Linux or Windows Phone).
➡️ Ensures only platforms capable of meeting modern compliance and security requirements can access organisational resources.

✅ Users: All users
🚫 Exclusions: One exception group (commonly break‑glass or testing)

➡️ All standard users are blocked when accessing from Linux or Windows Phone.

✅ Applications: All cloud applications
✅ Client types: Browser, mobile, desktop, modern auth, legacy auth (if enabled)

➡️ Any sign‑in to any Microsoft cloud application from unsupported platforms is blocked.

✅ Targeted Platforms:

➡️ Any sign‑in detected from these platforms is automatically blocked.

✅ Grant control: Block access
➡️ This is a hard block with no fallback and no alternative conditions.

Linux and Windows Phone do not support modern compliance signals, MDM/MAM controls, or secure authentication handling, making them unsuitable for enterprise access.

🚫 MFA requirements
🚫 Device compliance
🚫 Location restrictions
🚫 Platform allow‑list (only explicit block‑list)
🚫 Risk‑based conditions
🚫 Session controls

➡️ This policy focuses solely on blocking unsupported platforms — nothing else.

❌ Disabled
➡️ Currently not enforcing; no platform‑based blocks are active.

✅ Aligns with Microsoft device‑trust best practices
➡️ Prevents access from platforms that cannot meet enterprise security standards
ℹ️ Supports Zero Trust device governance by eliminating unsecured entry points.

This Conditional Access policy ensures that:

❌ No user
❌ Using Linux or Windows Phone
❌ Can access any Microsoft cloud application in your tenant

This removes insecure device platforms from the authentication surface and strengthens the organisation’s overall identity and device security baseline.