Conditional Access - Block all M365 apps private Mobile Device

Hi there!

I completely understand your frustration - I've seen this exact scenario many times when deploying mobile device policies. The good news is this is a common configuration issue with a straightforward fix!

UNDERSTANDING THE PROBLEM

The issue is that your fresh, unregistered Android device doesn't have any device ownership attribute in Entra ID yet. Here's what's happening:

Your current filter logic:

Exclude devices where: device.deviceOwnership -eq "Company"

This means:
- ❌ Exclude Company devices from the block (correct intention)
- ✅ Apply block to everything else (correct intention)

BUT - An unregistered personal device has:
- No deviceOwnership attribute at all
- No compliance status
- No device record in Entra ID

Result: The filter doesn't match the device, so the policy doesn't apply!

THE SOLUTION - INVERSE LOGIC APPROACH

Instead of trying to block personal devices, allow only compliant company devices. Here's the corrected policy:

Policy Configuration:

Assignments:
- Users: All users (or your target group)
- Cloud apps: All cloud apps
  - Exclude: Microsoft Intune, Microsoft Intune Enrollment -> be careful not to give access to others apps thru theses exclusions !

Conditions:
- Device platforms: Android, iOS
- Client apps: Mobile apps and desktop clients, Exchange ActiveSync clients

Filter for devices:

Include filtered devices in policy
device.deviceOwnership -eq "Company" -and device.isCompliant -eq True

Access controls:
- Grant access (but require compliant device - already ensured by filter)

Create a SECOND policy for blocking

Assignments:
- Same users and apps

Conditions:
- Same platforms and clients

Filter for devices:

Exclude filtered devices from policy  
device.deviceOwnership -eq "Company"

Access controls:
- Block access

⚠️ CRITICAL POINTS FROM MY EXPERIENCE

1. Device Registration First
Your test device needs to be either:
- Enrolled in Intune (Company-owned)
- OR registered in Entra ID (for BYOD scenarios with compliance)

A completely unregistered device is "invisible" to CA policies with device filters.

2. Better Approach - Require Compliant Device

For blocking personal devices, I actually recommend this simpler approach:

Cloud apps: All cloud apps (exclude Intune)
Platforms: iOS, Android  
Grant: Require device to be marked as compliant

Then only enroll company devices in Intune. Personal devices without enrollment = automatically blocked.

3. Testing Strategy

To properly test blocking of personal devices:
1. First enroll a test device as "Company" in Intune
2. Verify it works with the policy
3. Then unenroll it or change ownership to "Personal"
4. Now test the block - it will work!

4. Don't Forget Break-Glass Accounts

Always exclude at least one admin account from blocking policies.

REAL-WORLD DEPLOYMENT TIPS

In my last deployment for 27,000 users:
- Started with Report-Only mode for 2 weeks
- Monitored impact with Conditional Access Insights
- Gradually enabled enforcement by department
- Had clear communication for users and local IT about enrollment requirements

ADDITIONAL RESOURCES

- [https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-condition-filters-for-devices]
- [https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment]

RECOMMENDED NEXT STEPS

1. Test with a device enrolled as "Company" first
2. Implement the "Require compliant device" approach (simpler)
3. Use Report-Only mode before enforcing
4. Document your enrollment process for users

Let me know if this resolves your issue or if you need clarification on any step! Happy to help you get this working properly.

Good luck! 💪