Enterprise Mobility

Starting BYOD using Microsoft 365

Read Time: 3 minutes

Bring Your Own Device

We want staff to work comfortably and provide flexibility. We also want to ensure it is within a secure and well managed ecosystem. The more appropriate flexibility we provide, the more our users will happily adhere to both required standards and recommended practices.

Using Microsoft Enterprise Mobility allows us to support a Bring Your Own Device (BYOD) program within your organization which allows end-users to:

  • Use devices they like to use and already are comfortable with to access corporate cloud data – safely and securely
  • enforce access to devices which meet a minimum compliance level as defined by your organization (e.g. support operating system, device encryption, remote wipe, etc.)
  • Reduce spend on IT asset and asset support
  • Exclude devices not approved by your organizations (Hint – this also significantly cuts down on access from malicious agents).

The two major Microsoft 365 (M365) services to implementing a successful BYOD program are Microsoft Intune and Azure Conditional Access.

Microsoft Intune

Using Intune, we can create device compliance policies to ensure devices meet specific standards. For example:

  • what operating systems and versions are authorized for access
  • require device encryption requiring a pin on boot and access
  • restrict devices which are rooted or jail broken.

Intune supports iOS/iPadOS, Android, Windows, and macOS. From an operational perspective, a unified solution for managing devices greatly simplifies processes for IT Operations teams. Interoperability with other Microsoft services, such as Defender help to provide unparalleled capabilities to harden and protect the devices due to the integration of tools and unified system for accounts and access.

Intune also reduces the burden on IT Operations teams for registered devices as it provides the ability for staff to self-enroll compliant devices.

Azure AD Conditional Access

Conditional Access helps enforce specific rules, for example ensures only Intune registered mobile devices can connect to your M365 tenant.

Conditional Access also helps enforce rules using different signals. Signals include:

  • User or group membership
  • IP Location information
  • Device
  • Application
  • Real-time and calculated risk detection.

Based on signals, Conditional Access will apply action to block or grant access. Granting access can also require one or more of the following options:

  • Require multi-factor authentication
  • Require device to be marked as compliant
  • Require Hybrid Azure AD joined device
  • Require approved client app
  • Require app protection policy

Common behaviours with Conditional Access include:

  • Requiring trusted locations for Azure Multi-Factor Authentication registration
  • Restricting the use of apps on mobile devices to organization-managed devices
  • Blocking risky sign-in behaviours (e.g. authentication requests from different countries.)


In closing, using Microsoft Intune with Microsoft Azure Conditional Access, an organization can:

  • register and manage devices (phone, tablet, computer) for compliance and defining standards
  • define requirements for accessing the organization’s M365 tenant
  • Improve employee satisfaction by letting them use the devices they want to use (and not carry additional devices)
  • Enhance productivity by enabling staff to work from anywhere, anytime, providing more flexibility and better overall engagement on a day to day basis.
  • Reduce resources required for IT asset and device management, allows IT Operations to focus on more complex and challenging tasks.

Resources –

  • Azure AD Conditional Access (link)
  • Microsoft Intune (link)

Thanks for reading.

If you have any questions or would like to know more, please feel free to connect with me.

    Share This