Hey everybody! Seems this blog is still alive!

I know it’s been a while since I have put anything new here, but hopefully that will be changing. More on that later, but for now let’s talk about blocking non-Entra joined devices from logging into your M 365 tenant.

One simple and straightforward security requirement many organizations would benefit from implementing is a block on users logging into your Microsoft 365 tenant from devices that your company doesn’t control.

First, let’s clarify the requirement.

I was asked to ensure that people can only log into a Microsoft 365 tenant from company owned devices. On the surface that sounds perfectly reasonable, but there are a couple of unstated assumptions in that requirement.

Guests – Guests should still be able to access anything that has been shared with them. Obviously, guests are not going to be issued company owned devices, and they are not going to be joining their devices into our Entra tenant, so we need to exclude guest accounts from this policy

BYOD phones – Employees still need to be able to access resources on their phones. Outlook and Teams mobile still need to work, so we don’t want this policy to apply to phones.

Conditional Access is the way to go, we just need to be a little bit careful about that policy to make sure we don’t block access for Guest accounts and for Company employees using their phones.

Here is what I used…

Create a new Conditional Access Policy

I named mine “TEST - Block access for non-Entra joined devices”. I’ll remove the TEST when I’m ready to put this policy fully into production.

Under Assignments I have the following settings

User > Include > Select users and groups > Users and groups

I started this policy off only applying to a single group, and only a single user in that group. I always recommend going slow with CA policies. It’s way too easy to lock everyone out of your M 365 tenant, and that would be a resume level event for most of us.

User > Exclude > Guest or external

I excluded all guest and external accounts from this policy. Select whatever works for your organization.

Target resources > Include > All resources

We want this policy to apply to all resources

Conditions > Device platforms > Include

We want this policy to apply to Windows devices. If your organization has MacOS users, you’ll need to do things differently for them. For now, let’s focus on Windows.

Conditions > Device platforms > Exclude

Here we want to exclude iOS and Android. If your iOS and Android devices are Entra registered, then you’ll use a different configuration.

Conditions > Filter for devices

Here we want to exclude any devices that are Entra joined.

Access controls

Grant

This one is simple, we want to block access to anyone who is not already excluded from this policy in the Assignments section.

Block access

That’s it!

Again, I strongly recommend testing this policy out before you turn it on for everyone. It is VERY easy to lock everyone out of your tenant, so please don’t do that.

Questions? Comments? Put them below. I plan on updating this blog more in the future. :)