SOLVED
Home

BYOD / Corp Conditional Access Question

%3CLINGO-SUB%20id%3D%22lingo-sub-286466%22%20slang%3D%22en-US%22%3EBYOD%20%2F%20Corp%20Conditional%20Access%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-286466%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETricky%20scenario%20here%20and%20I%20will%20try%20my%20best%20to%20explain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EConditional%20Access%20Policy%20for%20BYOD%20%2F%20Personal%20devices%20%3D%20Require%20approved%20app%3C%2FP%3E%3CP%3E%3CSPAN%3EConditional%20Access%20Policy%20for%20Corp%20devices%20%3D%20Require%20approved%20app%20AND%20Require%20compliance%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIf%20both%20are%20assigned%20to%20the%20same%20group%3A%3C%2FSPAN%3E%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSPAN%3EWhich%20one%20takes%20effect%3F%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EHow%20to%26nbsp%3B%3C%2FSPAN%3Eseparately%20assign%20to%20Corp%20and%20BYOD%20Conditional%20Access%20Policies%20(dynamic%20groups%3F%20%2F%20Excludes%20etc)%3C%2FLI%3E%3C%2FUL%3E%3CP%3EIdeally%20we%20would%20like%20a%20separate%20CA%20policy%20for%20BYOD%20and%20Corp%20where%20users%20are%20in%20the%20same%20group%20and%20may%20have%20a%20Corp%20AND%20Personal%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20help%20or%20hints%20would%20be%20great.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStuart%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-286466%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-357080%22%20slang%3D%22en-US%22%3ERe%3A%20BYOD%20%2F%20Corp%20Conditional%20Access%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-357080%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20the%20same%20need%20to%20allow%20same%20user%20to%20have%20both%20corp%20%26amp%3B%20BYOD%20devices%20with%20separate%20policies%20for%20each.%20%26nbsp%3B%26nbsp%3B%20Am%20looking%20for%20this%20in%20365%20business%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-290275%22%20slang%3D%22en-US%22%3ERe%3A%20BYOD%20%2F%20Corp%20Conditional%20Access%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-290275%22%20slang%3D%22en-US%22%3E%3CP%3Ethe%20thing%20is%20that%20at%20the%20moment%20CA%20supports%20only%20user%20based%20groups%2C%20so%20you%20won't%20be%20able%20to%20target%20separate%20policies%20based%20on%20device%20type.%3C%2FP%3E%3CP%3EI%20was%20told%20that%20it's%20something%20in%20plan%2C%20but%20no%20ETA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-289493%22%20slang%3D%22en-US%22%3ERe%3A%20BYOD%20%2F%20Corp%20Conditional%20Access%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-289493%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20should%20be%20able%20to%20do%20this%20by%20using%20Dynamic%20Device%20Groups%20and%20using%20a%20rule%20like%20(%3CSTRONG%3Edevice.deviceOwnership%20-eq%20%22Company%22%3C%2FSTRONG%3E)%20for%20your%20Corporate%20devices.%20In%20general%2C%20the%20more%20restrictive%20policy%20will%20take%20precedence.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-698160%22%20slang%3D%22en-US%22%3ERe%3A%20BYOD%20%2F%20Corp%20Conditional%20Access%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-698160%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F131657%22%20target%3D%22_blank%22%3E%40Stuart%20King%3C%2FA%3E%26nbsp%3BSame%20need%20here.%20Hope%20there%20is%20a%20solution%20provided%20for%20this%20at%20some%20point.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Hi All

 

Tricky scenario here and I will try my best to explain.

 

Conditional Access Policy for BYOD / Personal devices = Require approved app

Conditional Access Policy for Corp devices = Require approved app AND Require compliance

 

If both are assigned to the same group:

  • Which one takes effect?
  • How to separately assign to Corp and BYOD Conditional Access Policies (dynamic groups? / Excludes etc)

Ideally we would like a separate CA policy for BYOD and Corp where users are in the same group and may have a Corp AND Personal device.

 

Any help or hints would be great.

 

Stuart

4 Replies

You should be able to do this by using Dynamic Device Groups and using a rule like (device.deviceOwnership -eq "Company") for your Corporate devices. In general, the more restrictive policy will take precedence.

Solution

the thing is that at the moment CA supports only user based groups, so you won't be able to target separate policies based on device type.

I was told that it's something in plan, but no ETA.

I have the same need to allow same user to have both corp & BYOD devices with separate policies for each.    Am looking for this in 365 business

 

 

@Stuart King Same need here. Hope there is a solution provided for this at some point.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies