Create a conditional access policy for Users not enrolled or on a compliant Device
Many of our users work from home and do not want their personal Windows computer to be either enrolled into our MDM suite or onto Azure AD. With our strict compliance regulations users are struggling to make their own Windows computer devices compliant.
Would it be possible to have a policy that is in the middle, where users can access emails, OneDrive for Business and SharePoint sites without the need to be on a domain joined computer or enrolled into our MDM suite. I would like to see this policy give the user access to all content but only from the browser such as IE and not from any applications as all the office packages are now mostly available to use in a web browser. This would mean that the user is just working in the cloud without the need to download any applications. I would also like this policy to stop users from downloading any content to their personal device so it just stays in the office applications that are cloud based while working in this way. This policy could be enforced by a user’s having to provide a two factor authentication to be able to access their OneDrive for Business and SharePoint Sites etc. from their own personal device.
Could we please look at implementing a policy such as this to help users work on their own personal device easier without the need to enrol on either Azure AD or MDM suite.
Tim Beer commented
Every company I see is desperate for this feature, some of the companies are not adopting EMS yet because of the lack of this feature.
Nearly all companies currently have a lot of users who currently access their mail through their personal devices and often the same user is given a corporate device.
At the moment the admin either has to tell users you must enrol all devices both personal and corporate which they don't want to do as they feel their personal devices should not have to enrol .
Or the admin is restricted to only use MAM-WE, yet management want the corporate devices to be enrolled.
Microsoft should offer both to the same user so that Conditional access can be targeted per device and user not just user
I think first they should allow multiple conditional access policies. Mobile device and PCs should have separate configuration, as you might want to let some users access from non ad joined or compliant PC or Mac. In the other hand you can still want to inforce them to be compliant with their mobile device.