Guard Your Corporate Data : Put an End to Unauthorized Access on Personal Devices with Conditional Access

Conditional Access rules are a key tool for securing corporate data.

One of my favorites rules is the « Require the device to be compliant » rule.

Here’s the idea : Your device needs to be enrolled in Intune and meet specific compliance rules you’ve set. This ensures that only managed devices can access company data, keeping it safe and preventing unauthorized use on personal devices.

This necessity arises from the need to protect against potential threats and unauthorized access, creating a secure barrier that shields company information from being accessed on non-compliant or personal devices.

We’ve done the why, now let’s do the how.

My personal device

I deploy the conditional access rules on two types of devices : Windows and Mac.

These devices are personal and not enrolled. Though, for now, i can access to my corporate data using Office 365 applications because i haven’t secured them yet.

Windows :

Mac :

Create the conditional access rule

Go to Entra and search for Entra Conditional Access. Create a new policy :

First, target the users. Which users you want to restrict the access to. Try with a small group of users first to see the end-users experience 🙂

Then the resources ! Office 365 is a good start. Meaning all these apps.

Once you’ve deployed the rule for Office, i suggest you to look into securing the Admin portals (Intune, Defender, etc). This way, only the managed devices can have access to your admin tools.

Then, the platforms. I want to secure my corporate data on my workstations, but conditional access is also compatible with mobile devices for sure !

You can decide to let the users leverage the web client and only block the use of the desktop client. Or block them both. It depends on your strategy. Let the users leverage the web client is a good transition in my opinion.

And finally, the action ! MFA ? Strong authenth ? App protection ?

There are many possiblities with conditional access rules. Especially with mobile devices, you can combine CA rules with app protection policies and force the users to use the corporate applications (next topic ?).

So this rule will : For the users of AZ-GRP-USR-EndUser0 authenticated on Office 365 applications, on a Windows and/or macOS device, display a message saying the device must be enrolled and follow the Intune compliance rules. These users will be blocked if the device is not enrolled.

End-user experience

So far the users leverage the coporate office applications and access with no restrictions to the corporate data. Not anymore !

Once the user is opening the app again, it will be prompted for an authentication :

« Devices or client applications that meet XXX management compliance policy »

Meaning : You must be enrolled and be compliant.

On macOS devices, the experience is a bit different but the result is the same :

It will redirect the user to aka.ms/enrollmymac which is the URL to download the Company Portal application.

Note : In both platforms, the enduser is asked to enroll the device and be compliant. Make sure the Intune enrollment restriction are correctly targeted and configured. If your strategy is to not allow personal workstation, make sure your restriction are well configured.

Note bis : Have a look to your compliance rules. Make sure you don’t lock yourself behind compliance rules, especially when you’re using the Defender Secure Score. I’ve experienced admins who could not access anymore to the Intune portal because they tested Powershell scripts locally on their managed devices.

Conclusion

I see this blog post as a poem « Security and Modern Workplace work well together ».

The teamwork of Conditional Access and Microsoft Intune Compliancy is a game-changer for securing coporate data. It’s like a superhero duo that keeps everything safe and sound.

By using these two tools, companies not only defend against potential threats but also create a strong and protected digital space. It’s a smart move toward a safer, smoother work environment.