I have a compliance policy in place for Microsoft 365 that requires users to log in from compliant devices. However, we have a few users who use their personal computers to access the Windows 365 App, which they then use to connect to their cloud virtual machines (VMs). While their cloud VMs meet the compliance standards, their personal PCs do not. Is there a way to exempt the Windows 365 App from this policy, or is it more advisable to require that users log in from company-owned PCs when accessing Windows 365?
2 Answers
Have you checked if the token protection compliance policy is enabled? That might be causing some issues for you. We've encountered similar situations in the past.
I suggest creating a separate policy just for accessing the cloud via personal devices. For instance, if one of their main work devices fails, you could add them to an exclusion group and allow access from non-compliant devices. I’d also recommend implementing phishing-resistant MFA for added security.
Good call! We already use YubiKeys for our compliance policies, so I think we're covered on that front even if we allow a few exceptions for non-compliant devices.
I haven't enabled that yet. Right now, I'm only using a policy that requires devices to be Entra joined and compliant, and it seems to be blocking access.