M365 Business Premium Conditional access for charity site.

Dale Walker 0 Reputation points

I have been asked to help tighten up security for a small non-profit. They have M365 Business Premium and as it's a non-profit, most of the staff are part-time volunteers using their own equipment. The small team of full time staff are using AzureAD with joined devices so the help I've found on Defender Endpoint Security has been pretty straightforward for them.

The problem I'm having is that I have to create some conditional access rules to separate those people logging in on org owned devices with an AzureAD joined login and those that are using BYO devices logging in with AzureAD registered credentials. Some staff/volunteers have both org-owned devices and use their own so I can't rely on the user login to determine the use case and therefore the rules I need to apply. It make more sense to me to try and work things out based on the devices being logged in from.

How do I set up a base level split in conditional access so that I can split AzureAD registered logins from AzureAD joined logins? This seems be the most logical way to split the two types of devices being used. If this is not feasible, any other workarounds?

They all work in We-Work type environments so don't have their own network. No other server to worry about. Everything is either Email, Teams or SharePoint.

I want to lock down the Azure AD joined devices as much as possible but give the Azure AD registered devices the freedom to install what they like on their on machines and only protect the organisations files. SharePoint is set up so that the volunteers are locked out of the full-timers libraries and even the Teams they use are quite restricted quite a bit.

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,215 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,848 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 97,076 Reputation points MVP

    You can target device "trustType" via Filter for devices: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-condition-filters-for-devices

    Make sure to also review the last table in the article for some caveats.

    0 comments No comments