SOLVED

BYOD / Corp Conditional Access Question

%3CLINGO-SUB%20id%3D%22lingo-sub-286466%22%20slang%3D%22en-US%22%3EBYOD%20%2F%20Corp%20Conditional%20Access%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-286466%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETricky%20scenario%20here%20and%20I%20will%20try%20my%20best%20to%20explain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EConditional%20Access%20Policy%20for%20BYOD%20%2F%20Personal%20devices%20%3D%20Require%20approved%20app%3C%2FP%3E%3CP%3E%3CSPAN%3EConditional%20Access%20Policy%20for%20Corp%20devices%20%3D%20Require%20approved%20app%20AND%20Require%20compliance%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIf%20both%20are%20assigned%20to%20the%20same%20group%3A%3C%2FSPAN%3E%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSPAN%3EWhich%20one%20takes%20effect%3F%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EHow%20to%26nbsp%3B%3C%2FSPAN%3Eseparately%20assign%20to%20Corp%20and%20BYOD%20Conditional%20Access%20Policies%20(dynamic%20groups%3F%20%2F%20Excludes%20etc)%3C%2FLI%3E%3C%2FUL%3E%3CP%3EIdeally%20we%20would%20like%20a%20separate%20CA%20policy%20for%20BYOD%20and%20Corp%20where%20users%20are%20in%20the%20same%20group%20and%20may%20have%20a%20Corp%20AND%20Personal%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20help%20or%20hints%20would%20be%20great.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStuart%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-286466%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-357080%22%20slang%3D%22en-US%22%3ERe%3A%20BYOD%20%2F%20Corp%20Conditional%20Access%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-357080%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20the%20same%20need%20to%20allow%20same%20user%20to%20have%20both%20corp%20%26amp%3B%20BYOD%20devices%20with%20separate%20policies%20for%20each.%20%26nbsp%3B%26nbsp%3B%20Am%20looking%20for%20this%20in%20365%20business%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-290275%22%20slang%3D%22en-US%22%3ERe%3A%20BYOD%20%2F%20Corp%20Conditional%20Access%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-290275%22%20slang%3D%22en-US%22%3E%3CP%3Ethe%20thing%20is%20that%20at%20the%20moment%20CA%20supports%20only%20user%20based%20groups%2C%20so%20you%20won't%20be%20able%20to%20target%20separate%20policies%20based%20on%20device%20type.%3C%2FP%3E%3CP%3EI%20was%20told%20that%20it's%20something%20in%20plan%2C%20but%20no%20ETA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-289493%22%20slang%3D%22en-US%22%3ERe%3A%20BYOD%20%2F%20Corp%20Conditional%20Access%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-289493%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20should%20be%20able%20to%20do%20this%20by%20using%20Dynamic%20Device%20Groups%20and%20using%20a%20rule%20like%20(%3CSTRONG%3Edevice.deviceOwnership%20-eq%20%22Company%22%3C%2FSTRONG%3E)%20for%20your%20Corporate%20devices.%20In%20general%2C%20the%20more%20restrictive%20policy%20will%20take%20precedence.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-698160%22%20slang%3D%22en-US%22%3ERe%3A%20BYOD%20%2F%20Corp%20Conditional%20Access%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-698160%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F131657%22%20target%3D%22_blank%22%3E%40Stuart%20King%3C%2FA%3E%26nbsp%3BSame%20need%20here.%20Hope%20there%20is%20a%20solution%20provided%20for%20this%20at%20some%20point.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Regular Contributor

Hi All

 

Tricky scenario here and I will try my best to explain.

 

Conditional Access Policy for BYOD / Personal devices = Require approved app

Conditional Access Policy for Corp devices = Require approved app AND Require compliance

 

If both are assigned to the same group:

  • Which one takes effect?
  • How to separately assign to Corp and BYOD Conditional Access Policies (dynamic groups? / Excludes etc)

Ideally we would like a separate CA policy for BYOD and Corp where users are in the same group and may have a Corp AND Personal device.

 

Any help or hints would be great.

 

Stuart

4 Replies
Highlighted

You should be able to do this by using Dynamic Device Groups and using a rule like (device.deviceOwnership -eq "Company") for your Corporate devices. In general, the more restrictive policy will take precedence.

Highlighted
Best Response confirmed by Stuart King (Regular Contributor)
Solution

the thing is that at the moment CA supports only user based groups, so you won't be able to target separate policies based on device type.

I was told that it's something in plan, but no ETA.

Highlighted

I have the same need to allow same user to have both corp & BYOD devices with separate policies for each.    Am looking for this in 365 business

 

 

Highlighted

@Stuart King Same need here. Hope there is a solution provided for this at some point.