Block Personal Computers with Conditional Access in Microsoft 365

Рет қаралды 10,899

Күн бұрын

Wouldn't it be great to just simply block the use of personal computers in Microsoft 365? This would mean that access to Microsoft 365 could only be done on company-owned devices that were part of Intune. You can do this by using a conditional access policy and I will show you in this video.
🆓 FREE Facebook Group
From security to productivity apps to getting the best value from your Microsoft 365 investment, join our Microsoft 365 Mastery Group
/ microsoft365mastery
🆓 FREE Microsoft 365 Guide
Our FREE Guide - Discover 5 things in Microsoft 365 that will save your business time and money….. and one feature that increases your Cyber Security by 99.9%
► Download our guide here today: 365gearsystem.com
💻 Want to Work Together?
Drop me an email: jonathan@integral-it.co.uk
😁 Follow on Socials
TikTok @bearded365guy
Instagram @bearded365guy
Chapters
0:00 Introduction
00:36 Basic Conditional Access
01:14 Advanced Conditional Access Policy
02:19 Word of Warning
03:12 Demo
05:09 Create Conditional Access Policy
08:06 Test CA Policy

Пікірлер: 57

@JannievanderWalt 3 ай бұрын

Dude, your videos are epic! I gained so much knowledge on this topic of CA and App Policies.

@nazerbor3i 3 ай бұрын

best content, with real world scenarios as usual keep it up

@davecmini Ай бұрын

Love this ! explained perfectly !

@SeiferAlmasy21 3 ай бұрын

Very powerful, but not user friendly. We learned to consult this with clients and make them clear what this really means. Our best scenario is to block unmanaged devices to Sharepoint but allow access via the Browser (limited experience). But even this gives issues (not technically but on user level). I am all for it, but this does not work for SMB, mostly. Bu great video again!

@bearded365guy 3 ай бұрын

Yep, it’s strict

@iralagirireddy7122 3 ай бұрын

Great video really appreciated

@TheLiquidDreamers 3 ай бұрын

Great Video Jonathan

@notta3d Ай бұрын

Just found your channel. Loving it. Do you think you could do a full video on setting up a test tenant? Was thrown into supporting Azure after it was setup so would be very helpful setting up my own to learn what I missed and to have something to test.

@ifoam 3 ай бұрын

Johnathan, your videos and style of presentation have been helpful. Does your organization (you) also do live events?

@bearded365guy 3 ай бұрын

Yes, sometimes!

@rod5751 Ай бұрын

I've implemented all of your CA policies and they're great, but this one blocks re-adding an Autopilot device to Intune after a Wipe. Any suggestions? Thanks

@daelra 3 ай бұрын

Excellent. Some great tips here. In the opposite direction, how would you go about setting up Conditional Access for a small startup where everyone is using their own laptops? What would you turn off, what would you leave on? Any special case policies?

@saisrikardhavala6441 8 сағат бұрын

Though the devices are corporate and registered with intunes, we are being locked out. Any idea?

@edwardstark6817 2 ай бұрын

no need to configure client apps. It's applied to all by default.

@andrewwitton8038 3 ай бұрын

Hi Jonathan, thanks for the great video. I am curious as to your using an OR statement for the filter. Is there an historical reason for using just DeviceOwnership not equals Company?

@frankfix247 21 күн бұрын

I really don't see the point of using both of those statements. Isn't it enough to use only one?

@alefbraz5973 3 ай бұрын

Hey Jonathan, thanks for your video, it helped us a lot!! We're trying to make an "exclusion" for a specific URL, we want to allow the Windows 365 URL, can you explain how can we make this filter, please?

@timwood101 3 ай бұрын

Could you explain, for we numpties, where the policy resides? You used intunes which suggests a policy on the endpoint but I don’t think you have set up a client on personal laptop. Does policy set up in intune sit in M365?

@edwardstark6817 2 ай бұрын

if your devices are entra hybrid joined, you can just check that box in Grant, and not have to do any filtering.

@thefactfinderx 2 ай бұрын

Thank you for your videos. We would like to learn how to stop users to upload anything from company devices to 3rd party apps for e.g. web WhatsApp, Dropbox Google drive or online PDF editors.

@bearded365guy 2 ай бұрын

Stay tuned

@exmuslim1330 3 ай бұрын

what is exchange recipient admin center, is it replacement to exchange admin center

@exmuslim1330 3 ай бұрын

In new outlook, I can't find the trust center and add-ins in options(there is no options) ; I read we need to install them manually. In new outlook, I can't find office accounts, account settings, tools, and a lot of missing tools.Can you provide a video to solve these issues?

@tri.taminh 4 күн бұрын

Hi Mr. Edwards, It would be great to receive a respond from you. I have a question. If I enrolled a device (for example a windows laptop) to intune using administrator account who has microsoft365 Business Premium then I change the owner of that device to another user which only has Business Standard license. At that moment will that device no longer be enrolled since that user doesn't have Intune license?

@bearded365guy 4 күн бұрын

All you need is for one Business Premium license in the tenant to enjoy the features. I am not suggesting you do that, in my view each person who is using Premium features should have a Premium license.

@joeraymen7312 3 ай бұрын

We block personal device enrolment and have setup conditional access policy to only allow compliant intune devices. We allow online usage only for personal devices with app enforced restrictions also.

@bearded365guy 3 ай бұрын

That works too 😀

@santhoshshashi303 27 күн бұрын

Hi Edwards, I want to block all cloud application except teams and outlook for phone device. I created a conditional access policy to block all cloud application except outlook and teams. Its working fine but teams is still blocking. I m not sure what are the teams related services need to exclude in the policy. Could you please make a video for the same

@adarsh_raj____ 3 ай бұрын

How setup the same for only Intune enrolled Windows, MacOS, Android devices(BYOD android through Company portal and Fully Company Managed Android Enterprise)

@juliocesarvasconcelos2413 17 күн бұрын

Hello Jonathan how are you? I have one question, is there some CA to block access to personal emails in web browsers on devices managed?

@bearded365guy 17 күн бұрын

Hi, got your email. Will respond!

@nazerbor3i 3 ай бұрын

we have O365 E5 licenses is that enough? what is the minimum license required? could you explain a little bit if this works with a Azure AD registered device ? or only Azure AD Joined Device ?

@bearded365guy 3 ай бұрын

This works with Azure AD P1

@tlambert54 3 ай бұрын

Jonathan, thanks for these video's. We have been trying to do this but still allow access from a browser on a personal device but cannot download content or enroll a personal device in intune. Any ideas?

@bearded365guy 3 ай бұрын

Yes, you can block downloads on unmanaged devices

@tlambert54 3 ай бұрын

@@bearded365guy - thanks for the reply. using the CA you used in this video what would we need to change to allow access to the browser but block downloads?

@themikerennie 3 ай бұрын

When do you use this over only allow compliant devices?

@bearded365guy 3 ай бұрын

For me, a compliant device is slightly different. A personal owned device could be compliant.

@user-st8fu6nq7b 3 ай бұрын

hey the videos good but the policy doesnt work, any idea why? Have you tested this first?

@bearded365guy 3 ай бұрын

It should work.

@user-st8fu6nq7b 3 ай бұрын

interesting ca policies usually apply right away. This one took some time, i can now see it is working. Thanks! @@bearded365guy

@AbdullahOllivierreIT 3 ай бұрын

Either Device filter to include personal ownership or to exclude corporate owned. Any reason for using VBox instead of Hyper-V ?

@bearded365guy 3 ай бұрын

I’ve always kind of liked vbox 😀

@frankfix247 21 күн бұрын

@@bearded365guy My understanding is that when autopiloting a vbox-created instance, the serial no. shown in Intune only contains zeros. This is not the case with using Hyper-V or VMware.

@akurenda1985 3 ай бұрын

Just thinking out loud. Wouldn't a compliance requirement CA Policy also block personal computers? If they don't have intune.. they can't access anything?

@bearded365guy 3 ай бұрын

A device can be owned personally and be compliant. This is to simply block all personal devices. Much stronger 💪

@stantkatchenko1341 3 ай бұрын

Great presentation and please don’t take it personally.. But, is there or can there be another company which prompts user who used UNAUTHORISED DEVICE to provide password and the second factor???

@bearded365guy 3 ай бұрын

Yes, that would be possible.