Dude, your videos are epic! I gained so much knowledge on this topic of CA and App Policies.

Very powerful, but not user friendly. We learned to consult this with clients and make them clear what this really means. Our best scenario is to block unmanaged devices to Sharepoint but allow access via the Browser (limited experience). But even this gives issues (not technically but on user level). I am all for it, but this does not work for SMB, mostly. Bu great video again!

This worked wonderfully for me. I excluded Exchange online, so all cloud apps were blocked except for email and it is doing exactly what I hoped for thanks to this video. Thank you so much Jonathan!

best content, with real world scenarios as usual keep it up

Just found your channel. Loving it. Do you think you could do a full video on setting up a test tenant? Was thrown into supporting Azure after it was setup so would be very helpful setting up my own to learn what I missed and to have something to test.

Love this ! explained perfectly !

Currently running a test with this with Report Only on, do you know if an easy place to see which machines are being reported to have violated this? I think i can see them in the identity sign in page, but curious if there is a better/easier way to view the reports.

Another great video, Thanks!

Great info, but how does it work with Hybird Entra installs where AD is installed on-prem?

We block personal device enrolment and have setup conditional access policy to only allow compliant intune devices. We allow online usage only for personal devices with app enforced restrictions also.

in Conditional Access - could a device that's joined to local AD be classified as organization owned? if so how does CA pick this up ? or is it for intune enrolled devices only?

Johnathan, your videos and style of presentation have been helpful. Does your organization (you) also do live events?

Excellent. Some great tips here. In the opposite direction, how would you go about setting up Conditional Access for a small startup where everyone is using their own laptops? What would you turn off, what would you leave on? Any special case policies?

Hi Jonathan, I have a question regarding the policy I applied. It works, but the device registered in Intune only has access via Microsoft Edge, not Chrome. Is there any way you can assist me with this?

Hi Jonathan, I'm curious about something. How does Intune detect the device that is not a company computer? You logged in from the incognito tab and tried to access it and it caught you. How did it detect that? Did he check to see if the device was in the domain? If so, how did he do that?

Thank you for this, working like a charm. a question though, what happens to the users logged in already on personal devices? do they get logged out? cause in my testing, the logged in user stayed logged in

I've implemented all of your CA policies and they're great, but this one blocks re-adding an Autopilot device to Intune after a Wipe. Any suggestions? Thanks

Does conditional access generally require the default policies to be turned off to work at all? (that you mention to turn off in the video where you created the 7 policies). As I did what you did here, but ticked Android additionally, and I am still able to sign in on my personal android and Windows devices to both browser and apps. Policy is "On" Any idea what I have missed?

Hi Jonathan, thanks for the great video. I am curious as to your using an OR statement for the filter. Is there an historical reason for using just DeviceOwnership not equals Company?

We use Microsoft Intune to manage Windows devices and Kandji MDM for Apple devices. Is there a possibility to add that into the filtered configurations?

Thank you for your videos. We would like to learn how to stop users to upload anything from company devices to 3rd party apps for e.g. web WhatsApp, Dropbox Google drive or online PDF editors.

Hello Could you advise on this please? If we implement the policy it's effectively saying only inTune managed Windows devices can access Office 365. However, we use dumb terminals to allow users to access Citrix. When we implemented the policy we found that it worked but the knock on effect is that it blocked the use of IGELS and Citrix (hosting a Windows image) to access O365. Can you advise if there is easy work around to this as the IGELS can't be added to inTune. Thanks Tim

Would be great for feedback on still wanting to allow guest access to Microsoft Teams files to other businesses that are approved, they wouldn't have a corporate device?

Hi mate, thanks for the video. I offer M365 to my clients and this is really handy.

Hi Mr. Edwards, It would be great to receive a respond from you. I have a question. If I enrolled a device (for example a windows laptop) to intune using administrator account who has microsoft365 Business Premium then I change the owner of that device to another user which only has Business Standard license. At that moment will that device no longer be enrolled since that user doesn't have Intune license?

Could you explain, for we numpties, where the policy resides? You used intunes which suggests a policy on the endpoint but I don’t think you have set up a client on personal laptop. Does policy set up in intune sit in M365?

Excellent, a useful policy would be able to allow some users to access OWA and Teams from private devices. Now you could allow users to access OWA and Teams from a web-browser and also access attachments in emails and files stored in Teams (so SharePoint), of course assuming you allow Teams and SharePoint access in the CA. But how can you prevent files from being saved on the non-corporate device hard drive?

Thanks for the wonderful tips. However, I have one big question. Just like I do with Android devices (AndroidForWork and AndroidForEnterprise) i would like to block users of using outlook app on iphone outside the ios work profile (intune company portal app). With Android I just create a conditiional access to allow only androidForwork and Enterprise, but how with iOS?

Great video really appreciated

Hi Edwards, Your video series is fantastic! I recently implemented this conditional access policy in our organization, but we've encountered an issue when it comes to a fresh user enrolling into Intune. The policy is blocking the initial device enrollment and user sign-in. when i'm checking the sign-in logs, it shows that the sign-in is blocked by this conditional access policy. Is there an alternative option to overcome this issue, or any best practices you’d recommend? Aside from this, everything is working perfectly. Thanks for share your knowledge with community!

Hello Jonathan how are you? I have one question, is there some CA to block access to personal emails in web browsers on devices managed?

we have O365 E5 licenses is that enough? what is the minimum license required? could you explain a little bit if this works with a Azure AD registered device ? or only Azure AD Joined Device ?

Jonathan, thanks for these video's. We have been trying to do this but still allow access from a browser on a personal device but cannot download content or enroll a personal device in intune. Any ideas?

Can this be done in a way that allows user to log onto the Office 365 apps on their own device but stop them copy/paste or downloading?

Applying that policy prevents work devices from enrolling in Intune via Autopilot b/c the initial Device Ownership is not Corporate yet b/c it hasn’t enrolled. How do you resolve this issue?

Great Video Jonathan

if your devices are entra hybrid joined, you can just check that box in Grant, and not have to do any filtering.

Hi Jonathan, is it possible to apply this CA policy for Multiple Office365 Tenants to the same applications on one device? I have providing with company's laptop and access multiple tenents on this windows laptop.

Either Device filter to include personal ownership or to exclude corporate owned. Any reason for using VBox instead of Hyper-V ?

Why it is that my devices are registered and enrolled in the specific group but i still cant get them to show up on the portal

Hey Jonathan, thanks for your video, it helped us a lot!! We're trying to make an "exclusion" for a specific URL, we want to allow the Windows 365 URL, can you explain how can we make this filter, please?

When do you use this over only allow compliant devices?

hey the videos good but the policy doesnt work, any idea why? Have you tested this first?

How setup the same for only Intune enrolled Windows, MacOS, Android devices(BYOD android through Company portal and Fully Company Managed Android Enterprise)

So if I want to allow BYOD and Company owned devices, I exclude both of those for iPhones & androids and technically it should block any other iPhones or android trying to sign into ms365 that are not BYOD or company owned

this policy blocks chrome too even on company devices. you would have to install Chrome SSO extension. but it also block InPrivate/InCognito window. no solution for that

Though the devices are corporate and registered with intunes, we are being locked out. Any idea?

Let me rephrase - I am looking to block devices from logging into any MS365 app using company creds or logging into browser from devices that are not enrolled. So other words if the mobile devices iPhone and androids are not company owned or Personal (BYOD), then block them from accessing. Just wondering what exactly will I be looking in conditional access for this. Any help is appreciated

Just thinking out loud. Wouldn't a compliance requirement CA Policy also block personal computers? If they don't have intune.. they can't access anything?

no need to configure client apps. It's applied to all by default.

Great presentation and please don’t take it personally.. But, is there or can there be another company which prompts user who used UNAUTHORISED DEVICE to provide password and the second factor???

We’ve blocked all personal devices (not my decision on the ios/android front..) and as a result I can’t work out how to allow users to sign in to microsoft authenticator.. Microsoft doesn’t include a lot of it’s own resources that can be added as exclusions

How this is possible without intune? :)

Won't this also affect the AutoPilot ?? I know we can allow browsers but block apps, having said that we will also affect the autopilot :( We would like to see the next version of this video based on the query raised here :) @Jonathan :)

Jerma spotted at 0:47

Thanks for the video but it didnt work

An On-Ee-Un.

+