Forum Discussion
Passwordless POC Blocked by CA BYOD Policy – Looking for Workarounds
We’re currently running a POC for passwordless authentication in our environment. One challenge we’ve hit is that our CA BYOD policy blocks personal devices, which prevents users from enabling passwo...
Please see below for two options which should work for you:
Option 1: Exclude Users from the Strict BYOD Policy and Apply a Core Apps Block
- How it works:
- Remove your POC users from the existing BYOD CA policy.
- Create a new CA policy that blocks access to all core business apps (e.g., Microsoft 365, Exchange, SharePoint, Teams) for unmanaged devices.
- This ensures users can still set up Microsoft Authenticator and passwordless sign-in on their personal devices, but they cannot access sensitive apps or data from those devices.
- Pros:
✔ Simple to implement
✔ Maintains data security - Cons:
✖ Requires an additional policy
✖ BYOD devices still interact with the registration process
Option 2: Switch to Authentication Strengths and Require TAP only - How it works:
- Create a new Authentication Strength selecting TAP as the only method
- Change the CA policy from a hard block to require an Authentication Strength that only includes Temporary Access Pass (TAP).
- Configure TAP as one-time use and time-limited (e.g., 30–60 minutes).
- IT administrator provide user a TAP code
- Users use TAP to complete their passwordless setup without relaxing BYOD enforcement for apps.
- Pros:
✔ Strongest security posture
✔ No need to exclude users from existing policies
✔ Fully controlled and auditable - Cons:
✖ Requires TAP issuance workflow
✖ Slightly more admin overhead