BYOD devices can't launch Windows 365 PC because of device compliance check during CA policy check.

Hi wcaetano,

I would not try to solve this only by excluding individual Windows 365-related apps from the existing “require compliant device” policy.

Windows 365 sign-in and connection flows can involve multiple first-party services, and some of the apps shown in the sign-in logs are not always easy to target or exclude directly in Conditional Access.

For BYOD access, I would normally separate this into its own Conditional Access design:

Keep the strict “require compliant device” policy for corporate-managed devices and sensitive apps.

Then create a dedicated Windows 365 / Cloud PC access policy for the BYOD users or groups, using controls such as MFA, sign-in risk, location, session controls, or app protection where applicable, instead of requiring the physical BYOD device to be compliant.

The key point is that the Cloud PC itself can be managed and compliant, but the device used to connect to it may be personal and unmanaged. If your CA policy requires the connecting device to be compliant, BYOD devices will fail before the user can reach the Cloud PC.

Microsoft also has specific guidance for Conditional Access with Windows 365 here:

https://learn.microsoft.com/en-us/windows-365/enterprise/set-conditional-access-policies

So the practical fix is usually policy separation: do not apply a tenant-wide “require compliant device” control to the BYOD Windows 365 access path unless those personal devices are expected to be enrolled and compliant.