Forum Discussion
Solved
Force users to "entra register" their devices
Hi,
is it possible to force user to register their devices when they log in with their company account to any other device than company owned?
I tested on my private smarthphone. Logged in as normal user with company account and my device did not show up in entra as "Microsoft Entra registered"
Any ideas? Thanks
I don't know of a way to "force" this outside of CA Policy and you configuring it so that the devices have to be registered or MDM Enrolled (Intune) to access the applications. There is a CA Policy Template in Preview currently you can take a look at for a possibility.
They would have to enroll and be compliant to access your applications, etc.
Another way to potentially do it with phones is to setup Passwordless Sign-In which requires devices to be registered to work. Then you could make an Authentication Strength to only allow Passwordless Sign-in, but you would need to test all this to make sure it would work in the order that you desire.
There are settings in Intune for BYOD that would require registration and enrollment to access company resources, or they wouldn't be allowed. That is how my organization has it set for my personal device. If I want to access company resources, I have to enroll and therefore register my device and allow some specific apps (Defender, etc.) to be installed and configured or I can't access these resources on my personal device at all.
See if this helps!
NOTE: To get to the Conditional Access Policy Template mentioned above, sign-in to the Azure Portal, navigate to Entra ID, then Security, then Conditional Access. At the top, hit the + Create new policy from templates and choose Zero Trust. You may have to hit the "Show more" option at the lower left to see the one I referenced above.
Edward
Hi Edward,
thanks for your valued infos. I think the way with BYOD would be the best solution, because private devices should not be enrolled in Intune, but rather be just registered.
You are saying there are Settings in Intune that requires registration. I seem to be blind not finding them. Could you point me to the right direction? Thanks.Heinzelrumpel
Heinzelrumpel,
I'm not the world's best at Intune... so, I might be stating something incorrectly. I do know, that am my job, if I want to access any corporate resources, I have to enroll my BYOD into Intune and they push some policies to it. It has to be a Microsoft Entra registered device and compliant. They require the use of a VPN and Microsoft Defender which they installed on the device. This is my personal device. It shows the MDM as Intune, Security Settings Management as Intune, and the Join Type as Microsoft Entra Registered. And of course, it is Yes for Compliant.
The registration was required by Intune via some configuration.Edward
I don't know of a way to "force" this outside of CA Policy and you configuring it so that the devices have to be registered or MDM Enrolled (Intune) to access the applications. There is a CA Policy Template in Preview currently you can take a look at for a possibility.
They would have to enroll and be compliant to access your applications, etc.
Another way to potentially do it with phones is to setup Passwordless Sign-In which requires devices to be registered to work. Then you could make an Authentication Strength to only allow Passwordless Sign-in, but you would need to test all this to make sure it would work in the order that you desire.
There are settings in Intune for BYOD that would require registration and enrollment to access company resources, or they wouldn't be allowed. That is how my organization has it set for my personal device. If I want to access company resources, I have to enroll and therefore register my device and allow some specific apps (Defender, etc.) to be installed and configured or I can't access these resources on my personal device at all.
See if this helps!
NOTE: To get to the Conditional Access Policy Template mentioned above, sign-in to the Azure Portal, navigate to Entra ID, then Security, then Conditional Access. At the top, hit the + Create new policy from templates and choose Zero Trust. You may have to hit the "Show more" option at the lower left to see the one I referenced above.
Edward
