Hey everyone! I'm trying to refine our Conditional Access (CA) policy for blocking access on personal devices that aren't owned by the company. We're using Entra for sign-ins, but I keep encountering inconsistent results. Can anyone share their successful policy examples or tips? My goal is to prevent users from signing in from devices that aren't Entra Joined or Registered.
3 Answers
Microsoft actually provides a CA policy template for situations like these. The template called "Require MDM-enrolled and compliant device to access cloud apps for all users (Preview)" is a solid starting point. Try running it in report-only mode to see what impact it has first, then you can adjust the settings as needed.
Have you set up the policy to block Entra join by users? There might be some settings you could tweak there. I'm not entirely sure how you're handling web access, but if you're finding the results too inconsistent, it could be worth looking into whether the policy is correctly applied for everyone.
You might want to consider a more refined approach with Conditional Access. For instance, you can set access rules based on the user's IP address, meaning only connections from your company's external IP can get through. Additionally, you can allow access for domain-joined devices or explicitly add certain users to the allowed list. There are definitely multiple conditions you can apply, so you might find it easier to manage that way!
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures