BYOD Microsoft Entra ID Registered: differenciate personal device to allow download or block

Sergio Londono 886 Reputation points
2023-10-26T13:28:17.6733333+00:00

Hello team,

I have a user who registered 2 devices as Microsoft Entra ID registered which are recognized as personal devices.

In theory, one device should be used for work and access corporate data, in this registered device the user can download data because he is working from a device that was allowed to work.

but, what happens if the user connects to corporate data using a personal device and registers the device as Microsoft Entra ID registered,

so, this user will be able to download corporate data to his personal device. I need to allow download for one and block for the other, but both of them are recognized as Personal.

I believe the only difference will be the hostname

Normally we can do it using MDCA when the device is not Hybrid or Azure Join, but when both devices are personal, is there any way from Intune or AAD to differentiate the device and apply restriction for download?

User's image

Block download if a device is not corporate. but, if I have 2 devices personal and one should download and the other no, how can I do it?

User's image

Microsoft Security | Intune | Security
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud Apps
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Entra | Other
0 comments No comments
{count} votes

Accepted answer
  1. Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator
    2023-10-30T12:58:11.8433333+00:00

    @Sergio Londono

    Thank you for posting your query on Microsoft Q&A. From above description I could understand that user have 2 devices registered in Entra ID and you want to block content download on 1 of them and allow one.

    Please do correct me if this is not the ask by responding in the comments section.

    By default a device is considered as Corporate when its Azure AD or Hybrid AD joined. Any device which is registered as a workplace join device is considered to be personal. However here are the few ways you could try for this particular user:

    • From Intune/MEM portal create two device categories namely corporate and personal.

    User's image

    • The assign personal category to the device you want to block, by navigating to the device properties on Intune console
    • User's image
    • Create a dynamic group with category as personal.

    User's image

    • Now create a conditional access policy blocking access to corp applications and assign it to above created dynamic group.

    Thanks,

    Akshay Kaushik

    Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.