Forum Discussion
Conditional Access - Block all M365 apps private Mobile Device
Hi there!
I completely understand your frustration - I've seen this exact scenario many times when deploying mobile device policies. The good news is this is a common configuration issue with a straightforward fix!
UNDERSTANDING THE PROBLEM
The issue is that your fresh, unregistered Android device doesn't have any device ownership attribute in Entra ID yet. Here's what's happening:
Your current filter logic:
Exclude devices where: device.deviceOwnership -eq "Company"
This means:
- ❌ Exclude Company devices from the block (correct intention)
- ✅ Apply block to everything else (correct intention)
BUT - An unregistered personal device has:
- No deviceOwnership attribute at all
- No compliance status
- No device record in Entra ID
Result: The filter doesn't match the device, so the policy doesn't apply!
THE SOLUTION - INVERSE LOGIC APPROACH
Instead of trying to block personal devices, allow only compliant company devices. Here's the corrected policy:
Policy Configuration:
Assignments:
- Users: All users (or your target group)
- Cloud apps: All cloud apps
- Exclude: Microsoft Intune, Microsoft Intune Enrollment -> be careful not to give access to others apps thru theses exclusions !
Conditions:
- Device platforms: Android, iOS
- Client apps: Mobile apps and desktop clients, Exchange ActiveSync clients
Filter for devices:
Include filtered devices in policy
device.deviceOwnership -eq "Company" -and device.isCompliant -eq True
Access controls:
- Grant access (but require compliant device - already ensured by filter)
Create a SECOND policy for blocking
Assignments:
- Same users and apps
Conditions:
- Same platforms and clients
Filter for devices:
Exclude filtered devices from policy
device.deviceOwnership -eq "Company"
Access controls:
- Block access
⚠️ CRITICAL POINTS FROM MY EXPERIENCE
1. Device Registration First
Your test device needs to be either:
- Enrolled in Intune (Company-owned)
- OR registered in Entra ID (for BYOD scenarios with compliance)
A completely unregistered device is "invisible" to CA policies with device filters.
2. Better Approach - Require Compliant Device
For blocking personal devices, I actually recommend this simpler approach:
Cloud apps: All cloud apps (exclude Intune)
Platforms: iOS, Android
Grant: Require device to be marked as compliant
Then only enroll company devices in Intune. Personal devices without enrollment = automatically blocked.
3. Testing Strategy
To properly test blocking of personal devices:
1. First enroll a test device as "Company" in Intune
2. Verify it works with the policy
3. Then unenroll it or change ownership to "Personal"
4. Now test the block - it will work!
4. Don't Forget Break-Glass Accounts
Always exclude at least one admin account from blocking policies.
REAL-WORLD DEPLOYMENT TIPS
In my last deployment for 27,000 users:
- Started with Report-Only mode for 2 weeks
- Monitored impact with Conditional Access Insights
- Gradually enabled enforcement by department
- Had clear communication for users and local IT about enrollment requirements
ADDITIONAL RESOURCES
- [https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-condition-filters-for-devices]
- [https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment]
RECOMMENDED NEXT STEPS
1. Test with a device enrolled as "Company" first
2. Implement the "Require compliant device" approach (simpler)
3. Use Report-Only mode before enforcing
4. Document your enrollment process for users
Let me know if this resolves your issue or if you need clarification on any step! Happy to help you get this working properly.
Good luck! 💪