Intune migration – allow enrollment but block access until device is marked Corporate

Question

Hi,

We are migrating Android devices from another MDM to Intune.

During migration users must enroll devices via Company Portal, so devices appear as Personal by default.

Our goal is:

• Allow enrollment • Block access to M365 with Conditional Access • After IT validation, change ownership to Corporate • Then allow access

Is using Conditional Access with a device filter based on deviceOwnership = Company a supported design?

Or is there a recommended Microsoft approach for this scenario?

Platform: Android Enterprise

Thanks

Answer 1

Yep - your approach of using Conditional Access with a device filter based on deviceOwnership = Company is possible, but there are some nuances and practices to consider.

In Intune, Android devices enrolled via Company Portal start as Personal (BYOD) by default. Conditional Access (CA) can indeed use device ownership as a filter in the policy, for example:

(device.deviceOwnership -eq "Company")

This allows you to block access to Microsoft 365 until the device is marked as Corporate. However, there are limitations. Device ownership in Intune is mostly determined at enrollment or by IT manually changing it. Android Enterprise managed devices enrolled as Personal will not automatically switch to Corporate based on IT approval; someone must either perform a bulk device ownership update via Intune or re-enroll the device using a corporate enrollment profile.

To address this, you might want to consider leveraging Android Enterprise Work Profile (BYOD) enrollment or Corporate-owned, personally enabled (COPE) enrollment. With COPE, devices can be enrolled as corporate from the start, even if the user performs self-enrollment. You can then control access via Conditional Access policies immediately based on device compliance and ownership without needing a separate ownership change step.

If full COPE enrollment is not possible during migration and you need to start with Personal enrollment, one way to address this is to block M365 access with a Conditional Access policy scoped to device compliance or ownership, perform IT validation, and then either update the device ownership to Corporate in Intune or trigger a re-enrollment process that results in Corporate-owned status. After this change, the Conditional Access policy allows access.

---

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Answer 2

Yes, using Conditional Access with a device filter based on deviceOwnership = Company is a supported design in Microsoft Intune. This approach allows you to block access to Microsoft 365 services for devices that are marked as Personal until they are validated and changed to Corporate ownership by IT.

To implement this, you can create a Conditional Access policy that specifies the device filter condition to only allow access from devices marked as Corporate. This way, during the migration phase, users can enroll their devices, but access to corporate resources will be restricted until the devices are validated and ownership is changed.

This aligns with best practices for managing device compliance and access in a migration scenario, ensuring that only properly validated devices can access sensitive corporate resources.

---

References:

• Conditional Access: Filter for devices
• End-to-end guide for configuring Android enterprise devices in Microsoft Intune