![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 80%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
To limit access to SharePoint Online only from corporate devices joined to Azure, you need to ensure that your Conditional Access policy is correctly configured to filter out personal devices. Here are some steps and considerations:
- Policy Configuration: Ensure that your Conditional Access policy includes the correct conditions to filter devices. You should set the policy to block access for devices that do not meet the criteria of being corporate or Microsoft Entra joined.
- Device Filter: When configuring the device filter, ensure that you are using the appropriate properties to identify corporate devices. For instance, you might want to use properties like
device.extensionAttribute1or similar attributes that distinguish corporate devices from personal ones. - Grant Controls: When setting the grant controls, if you want to allow access only for corporate devices, you should select the option to Block access for filtered devices that do not meet your criteria. Conversely, if you allow access when filtered devices are included, ensure that the filter accurately identifies only the intended corporate devices.
- Testing and Validation: After configuring the policy, test it with various device types to ensure that personal devices are being blocked as expected. If registered personal devices still have access, double-check the filter conditions and the inclusion/exclusion settings.
- Review Logs: Utilize sign-in logs in Azure AD to review the access attempts and see why personal devices are still gaining access. This can provide insights into whether the policy is being applied correctly.
If you've followed these steps and personal devices still have access, consider revisiting the policy settings or consulting Microsoft documentation for further troubleshooting guidance.
References: