This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 71%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDW%3C/text%3E%3C/svg%3E)
I have been asked to help tighten up security for a small non-profit. They have M365 Business Premium and as it's a non-profit, most of the staff are part-time volunteers using their own equipment. The small team of full time staff are using AzureAD with joined devices so the help I've found on Defender Endpoint Security has been pretty straightforward for them.
The problem I'm having is that I have to create some conditional access rules to separate those people logging in on org owned devices with an AzureAD joined login and those that are using BYO devices logging in with AzureAD registered credentials. Some staff/volunteers have both org-owned devices and use their own so I can't rely on the user login to determine the use case and therefore the rules I need to apply. It make more sense to me to try and work things out based on the devices being logged in from.
How do I set up a base level split in conditional access so that I can split AzureAD registered logins from AzureAD joined logins? This seems be the most logical way to split the two types of devices being used. If this is not feasible, any other workarounds?
They all work in We-Work type environments so don't have their own network. No other server to worry about. Everything is either Email, Teams or SharePoint.
I want to lock down the Azure AD joined devices as much as possible but give the Azure AD registered devices the freedom to install what they like on their on machines and only protect the organisations files. SharePoint is set up so that the volunteers are locked out of the full-timers libraries and even the Teams they use are quite restricted quite a bit.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @Dale Walker ,
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
You can target device "trustType" via Filter for devices: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-condition-filters-for-devices
Make sure to also review the last table in the article for some caveats.