Block Personal Computers with Conditional Access in Microsoft 365
Рет қаралды 11,831
Күн бұрынWouldn't it be great to just simply block the use of personal computers in Microsoft 365? This would mean that access to Microsoft 365 could only be done on company-owned devices that were part of Intune. You can do this by using a conditional access policy and I will show you in this video.
🆓 FREE Facebook Group
From security to productivity apps to getting the best value from your Microsoft 365 investment, join our Microsoft 365 Mastery Group
/ microsoft365mastery
🆓 FREE Microsoft 365 Guide
Our FREE Guide - Discover 5 things in Microsoft 365 that will save your business time and money….. and one feature that increases your Cyber Security by 99.9%
► Download our guide here today: 365gearsystem.com
💻 Want to Work Together?
Drop me an email: jonathan@integral-it.co.uk
😁 Follow on Socials
TikTok @bearded365guy
Instagram @bearded365guy
Chapters
0:00 Introduction
00:36 Basic Conditional Access
01:14 Advanced Conditional Access Policy
02:19 Word of Warning
03:12 Demo
05:09 Create Conditional Access Policy
08:06 Test CA Policy
@JannievanderWalt 4 ай бұрын
Dude, your videos are epic! I gained so much knowledge on this topic of CA and App Policies.
@SeiferAlmasy21 4 ай бұрын
Very powerful, but not user friendly. We learned to consult this with clients and make them clear what this really means. Our best scenario is to block unmanaged devices to Sharepoint but allow access via the Browser (limited experience). But even this gives issues (not technically but on user level). I am all for it, but this does not work for SMB, mostly. Bu great video again!
@bearded365guy 4 ай бұрын
Yep, it’s strict
@nazerbor3i 4 ай бұрын
best content, with real world scenarios as usual keep it up
@davecmini 2 ай бұрын
Love this ! explained perfectly !
@notta3d 2 ай бұрын
Just found your channel. Loving it. Do you think you could do a full video on setting up a test tenant? Was thrown into supporting Azure after it was setup so would be very helpful setting up my own to learn what I missed and to have something to test.
@iralagirireddy7122 4 ай бұрын
Great video really appreciated
@TheLiquidDreamers 4 ай бұрын
Great Video Jonathan
@ifoam 4 ай бұрын
Johnathan, your videos and style of presentation have been helpful. Does your organization (you) also do live events?
@bearded365guy 4 ай бұрын
Yes, sometimes!
@daelra 4 ай бұрын
Excellent. Some great tips here. In the opposite direction, how would you go about setting up Conditional Access for a small startup where everyone is using their own laptops? What would you turn off, what would you leave on? Any special case policies?
@edwardstark6817 3 ай бұрын
if your devices are entra hybrid joined, you can just check that box in Grant, and not have to do any filtering.
@rod5751 2 ай бұрын
I've implemented all of your CA policies and they're great, but this one blocks re-adding an Autopilot device to Intune after a Wipe. Any suggestions? Thanks
@thefactfinderx 3 ай бұрын
Thank you for your videos. We would like to learn how to stop users to upload anything from company devices to 3rd party apps for e.g. web WhatsApp, Dropbox Google drive or online PDF editors.
@bearded365guy 3 ай бұрын
Stay tuned
@alefbraz5973 3 ай бұрын
Hey Jonathan, thanks for your video, it helped us a lot!! We're trying to make an "exclusion" for a specific URL, we want to allow the Windows 365 URL, can you explain how can we make this filter, please?
@joeraymen7312 4 ай бұрын
We block personal device enrolment and have setup conditional access policy to only allow compliant intune devices. We allow online usage only for personal devices with app enforced restrictions also.
@bearded365guy 4 ай бұрын
That works too 😀
@santhoshshashi303 Ай бұрын
Hi Edwards, I want to block all cloud application except teams and outlook for phone device. I created a conditional access policy to block all cloud application except outlook and teams. Its working fine but teams is still blocking. I m not sure what are the teams related services need to exclude in the policy. Could you please make a video for the same
@exmuslim1330 4 ай бұрын
what is exchange recipient admin center, is it replacement to exchange admin center
@andrewwitton8038 4 ай бұрын
Hi Jonathan, thanks for the great video. I am curious as to your using an OR statement for the filter. Is there an historical reason for using just DeviceOwnership not equals Company?
@frankfix247 Ай бұрын
I really don't see the point of using both of those statements. Isn't it enough to use only one?
@timwood101 4 ай бұрын
Could you explain, for we numpties, where the policy resides? You used intunes which suggests a policy on the endpoint but I don’t think you have set up a client on personal laptop. Does policy set up in intune sit in M365?
@amanhanda9127 Күн бұрын
Hi Jonathan, is it possible to apply this CA policy for Multiple Office365 Tenants to the same applications on one device? I have providing with company's laptop and access multiple tenents on this windows laptop.
@adarsh_raj____ 4 ай бұрын
How setup the same for only Intune enrolled Windows, MacOS, Android devices(BYOD android through Company portal and Fully Company Managed Android Enterprise)
@exmuslim1330 4 ай бұрын
In new outlook, I can't find the trust center and add-ins in options(there is no options) ; I read we need to install them manually. In new outlook, I can't find office accounts, account settings, tools, and a lot of missing tools.Can you provide a video to solve these issues?
@edwardstark6817 3 ай бұрын
no need to configure client apps. It's applied to all by default.
@tri.taminh 24 күн бұрын
Hi Mr. Edwards, It would be great to receive a respond from you. I have a question. If I enrolled a device (for example a windows laptop) to intune using administrator account who has microsoft365 Business Premium then I change the owner of that device to another user which only has Business Standard license. At that moment will that device no longer be enrolled since that user doesn't have Intune license?
@bearded365guy 24 күн бұрын
All you need is for one Business Premium license in the tenant to enjoy the features. I am not suggesting you do that, in my view each person who is using Premium features should have a Premium license.
@juliocesarvasconcelos2413 Ай бұрын
Hello Jonathan how are you? I have one question, is there some CA to block access to personal emails in web browsers on devices managed?
@bearded365guy Ай бұрын
Hi, got your email. Will respond!
@nazerbor3i 4 ай бұрын
we have O365 E5 licenses is that enough? what is the minimum license required? could you explain a little bit if this works with a Azure AD registered device ? or only Azure AD Joined Device ?
@bearded365guy 4 ай бұрын
This works with Azure AD P1
@tlambert54 4 ай бұрын
Jonathan, thanks for these video's. We have been trying to do this but still allow access from a browser on a personal device but cannot download content or enroll a personal device in intune. Any ideas?
@bearded365guy 4 ай бұрын
Yes, you can block downloads on unmanaged devices
@tlambert54 4 ай бұрын
@@bearded365guy - thanks for the reply. using the CA you used in this video what would we need to change to allow access to the browser but block downloads?
@themikerennie 4 ай бұрын
When do you use this over only allow compliant devices?
@bearded365guy 4 ай бұрын
For me, a compliant device is slightly different. A personal owned device could be compliant.
@AbdullahOllivierreIT 4 ай бұрын
Either Device filter to include personal ownership or to exclude corporate owned. Any reason for using VBox instead of Hyper-V ?
@bearded365guy 4 ай бұрын
I’ve always kind of liked vbox 😀
@frankfix247 Ай бұрын
@@bearded365guy My understanding is that when autopiloting a vbox-created instance, the serial no. shown in Intune only contains zeros. This is not the case with using Hyper-V or VMware.
@akurenda1985 4 ай бұрын
Just thinking out loud. Wouldn't a compliance requirement CA Policy also block personal computers? If they don't have intune.. they can't access anything?
@bearded365guy 4 ай бұрын
A device can be owned personally and be compliant. This is to simply block all personal devices. Much stronger 💪
@saisrikardhavala6441 20 күн бұрын
Though the devices are corporate and registered with intunes, we are being locked out. Any idea?
@bearded365guy 19 күн бұрын
What polices do you have setup?
@saisrikardhavala6441 19 күн бұрын
@@bearded365guy block from personal devices, block outside the named region. The devices are being recognised as corporate
@stantkatchenko1341 4 ай бұрын
Great presentation and please don’t take it personally.. But, is there or can there be another company which prompts user who used UNAUTHORISED DEVICE to provide password and the second factor???
@bearded365guy 4 ай бұрын
Yes, that would be possible.
@user-st8fu6nq7b 4 ай бұрын
hey the videos good but the policy doesnt work, any idea why? Have you tested this first?
@bearded365guy 4 ай бұрын
It should work.
@user-st8fu6nq7b 4 ай бұрын
interesting ca policies usually apply right away. This one took some time, i can now see it is working. Thanks! @@bearded365guy
@kabyson 4 ай бұрын
+
@justmart 3 ай бұрын
How this is possible without intune? :)
@bearded365guy 3 ай бұрын
It isn’t
@justmart 2 ай бұрын
@@bearded365guy :(
@g04tn4d0 3 ай бұрын
An On-Ee-Un.
@KGok-ul8xe 4 ай бұрын
Thanks for the video but it didnt work
@user-st8fu6nq7b 4 ай бұрын
hi, i thought so too but it just took some time to go into effect..