Microsoft Technical Takeoff
Nov 27 2023 07:00 AM - Nov 30 2023 11:30 AM (PST)
Microsoft Tech Community

BYOD / Corp Conditional Access Question

Iron Contributor

Hi All


Tricky scenario here and I will try my best to explain.


Conditional Access Policy for BYOD / Personal devices = Require approved app

Conditional Access Policy for Corp devices = Require approved app AND Require compliance


If both are assigned to the same group:

  • Which one takes effect?
  • How to separately assign to Corp and BYOD Conditional Access Policies (dynamic groups? / Excludes etc)

Ideally we would like a separate CA policy for BYOD and Corp where users are in the same group and may have a Corp AND Personal device.


Any help or hints would be great.



4 Replies

You should be able to do this by using Dynamic Device Groups and using a rule like (device.deviceOwnership -eq "Company") for your Corporate devices. In general, the more restrictive policy will take precedence.

best response confirmed by Stuart King (Iron Contributor)

the thing is that at the moment CA supports only user based groups, so you won't be able to target separate policies based on device type.

I was told that it's something in plan, but no ETA.

I have the same need to allow same user to have both corp & BYOD devices with separate policies for each.    Am looking for this in 365 business



@Stuart King Same need here. Hope there is a solution provided for this at some point.