Just found your channel. Loving it. Do you think you could do a full video on setting up a test tenant? Was thrown into supporting Azure after it was setup so would be very helpful setting up my own to learn what I missed and to have something to test.
So if I want to allow BYOD and Company owned devices, I exclude both of those for iPhones & androids and technically it should block any other iPhones or android trying to sign into ms365 that are not BYOD or company owned
Hi Edwards, Your video series is fantastic! I recently implemented this conditional access policy in our organization, but we've encountered an issue when it comes to a fresh user enrolling into Intune. The policy is blocking the initial device enrollment and user sign-in. when i'm checking the sign-in logs, it shows that the sign-in is blocked by this conditional access policy. Is there an alternative option to overcome this issue, or any best practices you’d recommend? Aside from this, everything is working perfectly. Thanks for share your knowledge with community!
Applying that policy prevents work devices from enrolling in Intune via Autopilot b/c the initial Device Ownership is not Corporate yet b/c it hasn’t enrolled. How do you resolve this issue?
Would be great for feedback on still wanting to allow guest access to Microsoft Teams files to other businesses that are approved, they wouldn't have a corporate device?
I've implemented all of your CA policies and they're great, but this one blocks re-adding an Autopilot device to Intune after a Wipe. Any suggestions? Thanks
Very powerful, but not user friendly. We learned to consult this with clients and make them clear what this really means. Our best scenario is to block unmanaged devices to Sharepoint but allow access via the Browser (limited experience). But even this gives issues (not technically but on user level). I am all for it, but this does not work for SMB, mostly. Bu great video again!
Hi Mr. Edwards, It would be great to receive a respond from you. I have a question. If I enrolled a device (for example a windows laptop) to intune using administrator account who has microsoft365 Business Premium then I change the owner of that device to another user which only has Business Standard license. At that moment will that device no longer be enrolled since that user doesn't have Intune license?
All you need is for one Business Premium license in the tenant to enjoy the features. I am not suggesting you do that, in my view each person who is using Premium features should have a Premium license.
Great presentation and please don’t take it personally.. But, is there or can there be another company which prompts user who used UNAUTHORISED DEVICE to provide password and the second factor???
Hi Jonathan, is it possible to apply this CA policy for Multiple Office365 Tenants to the same applications on one device? I have providing with company's laptop and access multiple tenents on this windows laptop.
Just thinking out loud. Wouldn't a compliance requirement CA Policy also block personal computers? If they don't have intune.. they can't access anything?
we have O365 E5 licenses is that enough? what is the minimum license required? could you explain a little bit if this works with a Azure AD registered device ? or only Azure AD Joined Device ?
Let me rephrase - I am looking to block devices from logging into any MS365 app using company creds or logging into browser from devices that are not enrolled. So other words if the mobile devices iPhone and androids are not company owned or Personal (BYOD), then block them from accessing. Just wondering what exactly will I be looking in conditional access for this. Any help is appreciated
@@divanshusharma6866 You will need a couple of conditional access policies for this. It’s difficult to show here in the comments. I will attempt to film new material.
This worked wonderfully for me. I excluded Exchange online, so all cloud apps were blocked except for email and it is doing exactly what I hoped for thanks to this video. Thank you so much Jonathan!
Hi Jonathan, thanks for the great video. I am curious as to your using an OR statement for the filter. Is there an historical reason for using just DeviceOwnership not equals Company?
How setup the same for only Intune enrolled Windows, MacOS, Android devices(BYOD android through Company portal and Fully Company Managed Android Enterprise)
Hey Jonathan, thanks for your video, it helped us a lot!! We're trying to make an "exclusion" for a specific URL, we want to allow the Windows 365 URL, can you explain how can we make this filter, please?
Could you explain, for we numpties, where the policy resides? You used intunes which suggests a policy on the endpoint but I don’t think you have set up a client on personal laptop. Does policy set up in intune sit in M365?
Thank you for this, working like a charm. a question though, what happens to the users logged in already on personal devices? do they get logged out? cause in my testing, the logged in user stayed logged in
Excellent. Some great tips here. In the opposite direction, how would you go about setting up Conditional Access for a small startup where everyone is using their own laptops? What would you turn off, what would you leave on? Any special case policies?
@@bearded365guy My understanding is that when autopiloting a vbox-created instance, the serial no. shown in Intune only contains zeros. This is not the case with using Hyper-V or VMware.
Jonathan, thanks for these video's. We have been trying to do this but still allow access from a browser on a personal device but cannot download content or enroll a personal device in intune. Any ideas?
@@bearded365guy - thanks for the reply. using the CA you used in this video what would we need to change to allow access to the browser but block downloads?
We block personal device enrolment and have setup conditional access policy to only allow compliant intune devices. We allow online usage only for personal devices with app enforced restrictions also.
Hi Edwards, I want to block all cloud application except teams and outlook for phone device. I created a conditional access policy to block all cloud application except outlook and teams. Its working fine but teams is still blocking. I m not sure what are the teams related services need to exclude in the policy. Could you please make a video for the same
Thank you for your videos. We would like to learn how to stop users to upload anything from company devices to 3rd party apps for e.g. web WhatsApp, Dropbox Google drive or online PDF editors.
Dude, your videos are epic! I gained so much knowledge on this topic of CA and App Policies.
Great info, but how does it work with Hybird Entra installs where AD is installed on-prem?
@@andrewenglish3810 You can still use lots of these policies with Hybrid setups.
Just found your channel. Loving it. Do you think you could do a full video on setting up a test tenant? Was thrown into supporting Azure after it was setup so would be very helpful setting up my own to learn what I missed and to have something to test.
So if I want to allow BYOD and Company owned devices, I exclude both of those for iPhones & androids and technically it should block any other iPhones or android trying to sign into ms365 that are not BYOD or company owned
Hi Edwards,
Your video series is fantastic! I recently implemented this conditional access policy in our organization, but we've encountered an issue when it comes to a fresh user enrolling into Intune. The policy is blocking the initial device enrollment and user sign-in. when i'm checking the sign-in logs, it shows that the sign-in is blocked by this conditional access policy.
Is there an alternative option to overcome this issue, or any best practices you’d recommend? Aside from this, everything is working perfectly.
Thanks for share your knowledge with community!
Applying that policy prevents work devices from enrolling in Intune via Autopilot b/c the initial Device Ownership is not Corporate yet b/c it hasn’t enrolled. How do you resolve this issue?
Would be great for feedback on still wanting to allow guest access to Microsoft Teams files to other businesses that are approved, they wouldn't have a corporate device?
I've implemented all of your CA policies and they're great, but this one blocks re-adding an Autopilot device to Intune after a Wipe. Any suggestions? Thanks
Very powerful, but not user friendly. We learned to consult this with clients and make them clear what this really means. Our best scenario is to block unmanaged devices to Sharepoint but allow access via the Browser (limited experience). But even this gives issues (not technically but on user level). I am all for it, but this does not work for SMB, mostly. Bu great video again!
Yep, it’s strict
if your devices are entra hybrid joined, you can just check that box in Grant, and not have to do any filtering.
Hi Mr. Edwards, It would be great to receive a respond from you. I have a question. If I enrolled a device (for example a windows laptop) to intune using administrator account who has microsoft365 Business Premium then I change the owner of that device to another user which only has Business Standard license. At that moment will that device no longer be enrolled since that user doesn't have Intune license?
All you need is for one Business Premium license in the tenant to enjoy the features. I am not suggesting you do that, in my view each person who is using Premium features should have a Premium license.
Great presentation and please don’t take it personally.. But, is there or can there be another company which prompts user who used UNAUTHORISED DEVICE to provide password and the second factor???
Yes, that would be possible.
Hi Jonathan, is it possible to apply this CA policy for Multiple Office365 Tenants to the same applications on one device? I have providing with company's laptop and access multiple tenents on this windows laptop.
@@amanhanda9127 No, i don’t think it would be.
Just thinking out loud. Wouldn't a compliance requirement CA Policy also block personal computers? If they don't have intune.. they can't access anything?
A device can be owned personally and be compliant. This is to simply block all personal devices. Much stronger 💪
Hello Jonathan how are you?
I have one question, is there some CA to block access to personal emails in web browsers on devices managed?
Hi, got your email. Will respond!
we have O365 E5 licenses is that enough? what is the minimum license required? could you explain a little bit if this works with a Azure AD registered device ? or only Azure AD Joined Device ?
This works with Azure AD P1
Let me rephrase - I am looking to block devices from logging into any MS365 app using company creds or logging into browser from devices that are not enrolled. So other words if the mobile devices iPhone and androids are not company owned or Personal (BYOD), then block them from accessing. Just wondering what exactly will I be looking in conditional access for this. Any help is appreciated
@@divanshusharma6866 You will need a couple of conditional access policies for this. It’s difficult to show here in the comments. I will attempt to film new material.
@@bearded365guy THANKS. I am gonna subscribe and wait for the video to drop
This worked wonderfully for me. I excluded Exchange online, so all cloud apps were blocked except for email and it is doing exactly what I hoped for thanks to this video. Thank you so much Jonathan!
Hi Jonathan, thanks for the great video. I am curious as to your using an OR statement for the filter. Is there an historical reason for using just DeviceOwnership not equals Company?
I really don't see the point of using both of those statements. Isn't it enough to use only one?
How setup the same for only Intune enrolled Windows, MacOS, Android devices(BYOD android through Company portal and Fully Company Managed Android Enterprise)
Love this ! explained perfectly !
Johnathan, your videos and style of presentation have been helpful. Does your organization (you) also do live events?
Yes, sometimes!
Hey Jonathan, thanks for your video, it helped us a lot!!
We're trying to make an "exclusion" for a specific URL, we want to allow the Windows 365 URL, can you explain how can we make this filter, please?
best content, with real world scenarios as usual keep it up
Could you explain, for we numpties, where the policy resides? You used intunes which suggests a policy on the endpoint but I don’t think you have set up a client on personal laptop. Does policy set up in intune sit in M365?
Thank you for this, working like a charm. a question though, what happens to the users logged in already on personal devices? do they get logged out? cause in my testing, the logged in user stayed logged in
Excellent. Some great tips here. In the opposite direction, how would you go about setting up Conditional Access for a small startup where everyone is using their own laptops? What would you turn off, what would you leave on? Any special case policies?
Either Device filter to include personal ownership or to exclude corporate owned. Any reason for using VBox instead of Hyper-V ?
I’ve always kind of liked vbox 😀
@@bearded365guy My understanding is that when autopiloting a vbox-created instance, the serial no. shown in Intune only contains zeros. This is not the case with using Hyper-V or VMware.
When do you use this over only allow compliant devices?
For me, a compliant device is slightly different. A personal owned device could be compliant.
Jonathan, thanks for these video's. We have been trying to do this but still allow access from a browser on a personal device but cannot download content or enroll a personal device in intune. Any ideas?
Yes, you can block downloads on unmanaged devices
@@bearded365guy - thanks for the reply. using the CA you used in this video what would we need to change to allow access to the browser but block downloads?
Great video really appreciated
Though the devices are corporate and registered with intunes, we are being locked out. Any idea?
What polices do you have setup?
@@bearded365guy block from personal devices, block outside the named region. The devices are being recognised as corporate
hey the videos good but the policy doesnt work, any idea why? Have you tested this first?
It should work.
interesting ca policies usually apply right away. This one took some time, i can now see it is working. Thanks! @@bearded365guy
no need to configure client apps. It's applied to all by default.
We block personal device enrolment and have setup conditional access policy to only allow compliant intune devices. We allow online usage only for personal devices with app enforced restrictions also.
That works too 😀
Hi Edwards, I want to block all cloud application except teams and outlook for phone device. I created a conditional access policy to block all cloud application except outlook and teams. Its working fine but teams is still blocking. I m not sure what are the teams related services need to exclude in the policy. Could you please make a video for the same
An On-Ee-Un.
Thank you for your videos. We would like to learn how to stop users to upload anything from company devices to 3rd party apps for e.g. web WhatsApp, Dropbox Google drive or online PDF editors.
Stay tuned
How this is possible without intune? :)
It isn’t
@@bearded365guy :(
+
Thanks for the video but it didnt work
hi, i thought so too but it just took some time to go into effect..
Great Video Jonathan