Forum Discussion
CA policy for corporate devices
I would like to create a conditional access policy to block all non corporate devices from accessing Office 365 resources.
I created a policy:
Applies to -> User Group
Applies to -> all resources
Applies to -> Win 10
Filter for devices exception-> Ownership: company & trust type: Entra Hybrid joined.
Action: block
The above works fine for office desktop login, i.e. blocks non corporate devices and allows corporate devices.
However, a side effect is that sign ins from browser on a corporate device is still blocked.
I guess the issue here is that when accessing Office 365 via a browser, the Conditional Access (CA) policy might not always detect the device’s ownership and trust type reliably, especially for session-based authentication.
If your goal is to allow browser access for corporate devices while blocking personal ones, use Session Controls:
Sign-in frequency: Set a persistent browser session for managed devices.
Use Conditional Access App Control (MCAS): This helps distinguish corporate vs. personal browser sessions.
If browser-based Office 365 access is still blocked, consider excluding certain apps (like Exchange Online or SharePoint) from the strict device policy.
