Forum Discussion

intunewizard's avatar
intunewizard
Copper Contributor
Mar 13, 2025

Intune for BYOD mobile and Cross tenant compliance

We have 3 separate companies/tenants, and employees need to access mail from each tenant on a single iOS/Android device, with a CA policy requiring compliance or app protection policy.
.
I understand that Intune MAM currently will not work, but is on the road map for later this year for iOS (not sure on Android)

Does Web based / JIT for BYOD work on iOS if I setup Cross-tenant access and enable "Trust compliant devices" trust setting? Or do we have to do full device based MDM enrollment? If not, what do I need to do in this scenario?

Conditional Access
Intune
Mobile Application Management (MAM)
mobile device management (mdm)
  • micheleariis's avatar
    micheleariis
    Steel Contributor
    Mar 17, 2025

    Hi, currently, to make conditional access with "trust compliant devices" work across tenants on ios/android, you need full mdm enrollment (intune device compliance). Cross-tenant intune mam support is expected later this year for ios, but it’s not available yet; web-based/jit access for byod with cross-tenant access might work if the device is registered as compliant in the primary tenant and the secondary tenants recognize it via entra id cross-tenant trust. However, for a more reliable and secure setup, full mdm enrollment is currently the best option.

    If you want to avoid full mdm enrollment, an alternative is to use app protection policies (mam) separately in each tenant, but since cross-tenant mam is not yet supported, users will still need to authenticate separately for each tenant.

  • rebore122's avatar
    rebore122
    Copper Contributor
    Mar 15, 2025

    You're correct that Intune MAM for multi-tenant access is currently limited, and full support for iOS is expected later this year, while Android timelines are unclear.

     

    Regarding your questions:

    Web-Based / JIT for BYOD on iOS with Cross-Tenant Access:

    If you configure Cross-Tenant Access and enable "Trust compliant devices", it should allow access for compliant devices from other tenants only if they are fully enrolled in MDM and meet compliance requirements.

    However, for BYOD scenarios without full MDM enrollment, this will not work as expected since compliance policies are enforced at the tenant level, and app protection policies (MAM) do not support cross-tenant access yet.

     

    Do You Need Full Device-Based MDM Enrollment?

    Yes, for the CA policy requiring compliance, the device must be enrolled in one of the tenants and marked as compliant.

    Without MDM enrollment, compliance policies won’t apply across tenants, meaning employees would be blocked unless Microsoft releases multi-tenant MAM support.

     

    Alternative Workarounds:

    Conditional Access Exception: You could create an exception for specific apps (like Outlook) to allow access via App Protection Policies until MAM supports multi-tenancy.

    Use Different Profiles: Some organizations opt for separate profiles or containers for each tenant, but this isn’t always user-friendly.

     

Resources