BYOD Microsoft Entra ID Registered: differenciate personal device to allow download or block

Sergio Londono 201 Reputation points

Hello team,

I have a user who registered 2 devices as Microsoft Entra ID registered which are recognized as personal devices.

In theory, one device should be used for work and access corporate data, in this registered device the user can download data because he is working from a device that was allowed to work.

but, what happens if the user connects to corporate data using a personal device and registers the device as Microsoft Entra ID registered,

so, this user will be able to download corporate data to his personal device. I need to allow download for one and block for the other, but both of them are recognized as Personal.

I believe the only difference will be the hostname

Normally we can do it using MDCA when the device is not Hybrid or Azure Join, but when both devices are personal, is there any way from Intune or AAD to differentiate the device and apply restriction for download?

User's image

Block download if a device is not corporate. but, if I have 2 devices personal and one should download and the other no, how can I do it?

User's image

Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
249 questions
Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps
A Microsoft cloud access security broker that enables customers to control the access and use of software as a service apps in their organization.
64 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
17,604 questions
0 comments No comments
{count} votes

Accepted answer
  1. Akshay-MSFT 12,306 Reputation points Microsoft Employee

    @Sergio Londono

    Thank you for posting your query on Microsoft Q&A. From above description I could understand that user have 2 devices registered in Entra ID and you want to block content download on 1 of them and allow one.

    Please do correct me if this is not the ask by responding in the comments section.

    By default a device is considered as Corporate when its Azure AD or Hybrid AD joined. Any device which is registered as a workplace join device is considered to be personal. However here are the few ways you could try for this particular user:

    • From Intune/MEM portal create two device categories namely corporate and personal.

    User's image

    • The assign personal category to the device you want to block, by navigating to the device properties on Intune console
    • User's image
    • Create a dynamic group with category as personal.

    User's image

    • Now create a conditional access policy blocking access to corp applications and assign it to above created dynamic group.


    Akshay Kaushik

    Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful