![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 85%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERR%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 10%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 4%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello RITU RAJ,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
I understand that you are in need to implement Conditional Access Policy for non-compliant devices.
To avoid any misconceptions, issues and still meet the customer need by block high-risk non-compliant devices, but still enable BYOD access safely you will need to use a hybrid conditional access strategy:
Recommended Conditional Access + App Protection Strategy if it's a corporate devices:
- Require device compliance with MDM (Intune)
- Create a compliance policy in Intune (OS version, encryption, etc.).
- Create a CA policy that requires device compliance for corporate devices.
- Allow access only if device is marked compliant. ([Azure Documentation][8])
- For BYOD Vendor and/or Personal Devices:
- Use App Protection Policies (MAM) without MDM enrollment
- Create Intune App Protection Policies targeting BYOD users.
- These policies secure corporate data per app only (e.g., Outlook, Teams).
- Data leakage prevention & controls are enforced even on personal devices. ([Microsoft Learn][2])
- Conditional Access for BYOD devices
- Create CA policy targeting BYOD group or device filters (
deviceOwnership eq Personal). - Grant controls: Require app protection policy OR require compliant device.
- Configure Require approved client app (e.g., Outlook, Teams).
- For multiple controls choose Require one of the selected controls. ([Microsoft Learn][2])
- Create CA policy targeting BYOD group or device filters (
- For Browser Restriction Option: Optionally, limit BYOD access to browser only, restrict file downloads via session & cloud app controls. ([TMinus 365][3])
Therefore, to simplify. The policy deployment approach will be similar to the below:
- In a scenario of Corporate Managed Devices, the Conditional Access Requirement will be to require compliant device (MDM).
- In a scenario of BYOD (Personal/non-enrolled), the Conditional Access Requirement will be to Require App Protection Policy OR Approved Client.
- In a scenario of High-risk access, the Conditional Access Requirement will be to add additional MFA or Defender for Endpoint signals.
I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.
Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.