Block Access on Personal Devices with Microsoft Conditional Access
Should Employees Be Able to Access Microsoft 365 from Any Device?
Microsoft 365 allows employees to work from almost anywhere.
They can access email, Microsoft Teams, SharePoint, OneDrive and other business applications from office computers, home laptops, tablets and mobile phones.
This flexibility can improve productivity, but it can also create a security risk.
An employee may sign in from a personal computer that:
- Is shared with family members
- Has no business antivirus protection
- Is missing important security updates
- Does not use disk encryption
- Has already been infected with malware
- Saves company files to an unsecured location
- Is not monitored by the business
- Remains accessible after the employee leaves
The username and password may belong to the employee, but the business has no control over the device being used.
Microsoft Conditional Access can help businesses decide which users and devices are allowed to access company information.
Rather than allowing every successful login, Conditional Access can require the device to meet company security requirements—or block access completely.
What is Microsoft Conditional Access?
Conditional Access is a security feature within Microsoft Entra ID.
It allows a business to create policies that evaluate the circumstances surrounding a login before access is granted.
The policy can consider information such as:
- The identity of the user
- The application being accessed
- The type of device
- The device’s operating system
- Whether the device is managed
- Whether it complies with company security policies
- The location of the login
- The authentication method being used
- The level of risk associated with the sign-in
Based on those conditions, Microsoft can allow access, block access or require additional security controls.
Microsoft describes Conditional Access as its Zero Trust policy engine. It brings together identity, device and application signals before deciding whether a user should be allowed to access a resource.
For example, a business could create a policy that says:
> Employees can access Microsoft 365 only from devices that are enrolled in Microsoft Intune and marked as compliant.
A company-managed laptop that meets the security requirements would be allowed.
A personal laptop that the business has never seen or managed would be blocked.
Why is access from personal devices a risk?
Personal devices are not necessarily unsafe.
An employee may own a modern computer that is fully updated and carefully protected.
The problem is that the business cannot automatically confirm this.
When employees use personal devices, the organisation may not know:
- Whether antivirus protection is active
- Whether the device is receiving updates
- Who else uses the computer
- Whether the storage is encrypted
- Whether company information is being downloaded
- Whether unsafe browser extensions are installed
- Whether the device is infected
- Whether business passwords are being saved
- Whether files will be deleted when the employee leaves
An employee could download a confidential customer document to their personal computer. That file may remain there long after the work has been completed.
It could be copied into a personal cloud-storage account, included in a home backup or accessed by another person using the device.
Blocking or limiting personal-device access gives the business greater control over where its information can be viewed, saved and shared.
What is the difference between a personal device and an unmanaged device?
The terms **personal device** and **unmanaged device** are often used as though they mean the same thing, but there is an important difference.
Personal device
A personal device is owned by the employee rather than the business.
A personal phone could still be enrolled in Microsoft Intune and subject to company security policies.
Unmanaged device
An unmanaged device has not been placed under the organisation’s device-management controls.
It may be company-owned or personally owned, but Microsoft Intune is not currently managing it.
Non-compliant device
A non-compliant device is known to the organisation but has failed one or more security requirements.
For example, it may:
- Be missing updates
- Have antivirus protection disabled
- Lack encryption
- Use an unsupported operating system
- Have an insecure password
- Be considered compromised
Microsoft Intune reports device compliance information to Microsoft Entra ID. Conditional Access can then require a device to be marked as compliant before it is permitted to access company resources.
This distinction matters because a company-owned device could become non-compliant, while a personal device could theoretically be enrolled and made compliant.
The business must decide whether it wants to block devices based on ownership, management, security status or a combination of all three.
How can Conditional Access block personal devices?
A common approach is to require every device accessing Microsoft 365 to be marked as compliant.
To become compliant, a device normally needs to:
1. Be enrolled in Microsoft Intune.
2. Receive the organisation’s security policies.
3. Meet the compliance requirements set by the business.
4. Report its compliance status to Microsoft Entra ID.
Conditional Access then checks this status when the user attempts to sign in.
If the device is compliant, access can be granted.
If the device is unmanaged, unknown or non-compliant, access can be blocked.
However, requiring compliance by itself may not prevent employees from enrolling their own devices.
The business may also need Intune enrolment restrictions that prevent personally owned devices from being enrolled.
Microsoft Intune can block personally owned devices from enrolling and checks whether new Windows enrolment requests have been authorised as corporate enrolments.
When these controls are combined:
- Personal devices cannot enrol.
- Devices that have not enrolled cannot become compliant.
- Conditional Access requires compliance.
- Personal or unmanaged devices are therefore blocked.
This provides a clearer separation between approved company equipment and personal technology.
Why not simply filter for “personal” devices?
Conditional Access includes device filters that can evaluate attributes such as device ownership.
This may appear to provide a simple solution: create a rule that blocks every device marked as personal.
However, device filters rely on attributes held against devices that are registered in Microsoft Entra ID. A completely unknown or unregistered device may not have the ownership information required for the filter to make the intended decision.
For this reason, a policy design based only on the “personal” ownership field may leave gaps.
A stronger approach is normally to:
- Require an Intune-compliant device
- Control which devices are allowed to enrol
- Correctly identify company-owned devices
- Test how unknown and unregistered devices are handled
- Review the actual Conditional Access sign-in results
Conditional Access policies should be designed around the result the business wants rather than relying on a single device attribute.
What is a compliant device?
A compliant device is one that meets the security requirements defined by the business in Microsoft Intune.
The exact requirements can be different for Windows, macOS, Android, iPhone and iPad devices.
A compliance policy may check whether:
- The operating system is up to date
- The device has a suitable password or PIN
- Storage encryption is enabled
- Antivirus protection is active
- The firewall is enabled
- The device has not been rooted or jailbroken
- The device is below a defined threat level
- The operating system is still supported
- The device is actively reporting to Intune
Microsoft Entra Conditional Access can use the compliance result to ensure only devices that meet the organisation’s Intune policies are permitted to access email and other company resources.
This provides more protection than simply asking whether the device belongs to the company.
A company laptop that has not installed updates for several months should not necessarily receive the same access as one that is fully protected.
Does access need to be completely blocked?
Not every business needs to block all personal-device access.
There are three main approaches.
1. Completely block access
Employees can access Microsoft 365 only from approved, managed and compliant company devices.
This provides the greatest level of control.
It may be appropriate for businesses handling:
- Financial information
- Medical information
- Legal documents
- Sensitive customer records
- Intellectual property
- Government information
- Regulated data
The disadvantage is reduced flexibility.
Employees may not be able to check their email from a personal phone or open an urgent document from a home computer.
2. Allow limited browser access
A business may allow employees to view certain information in a web browser while preventing them from downloading, printing or synchronising files.
Microsoft supports application-enforced restrictions for unmanaged devices. These controls can be combined with Conditional Access to provide limited browser access rather than unrestricted use of SharePoint and OneDrive.
This may provide a useful compromise.
An employee might be able to read a document or check information from a personal computer without being permitted to download the file onto that device.
The available restrictions depend on the Microsoft service and the way the policy has been configured.
3. Allow protected mobile applications
The business may allow employees to access company information from personal phones but only through approved applications protected by Microsoft Intune.
For example, an employee might be allowed to use Microsoft Outlook and Teams on a personal phone while company information remains protected inside those applications.
Intune app protection policies can control how company data is accessed and moved within managed applications, including on employee-owned devices that are not fully enrolled in Intune.
This is often known as mobile application management without enrolment.
It provides control over company information without giving the business full management of the employee’s personal device.
What can an app protection policy control?
An app protection policy can place restrictions around company information inside supported mobile applications.
Depending on the device and application, the business may be able to:
- Require a separate application PIN
- Require biometric authentication
- Encrypt company application data
- Prevent copying information into personal applications
- Prevent company files from being saved to personal storage
- Restrict printing
- Block access on rooted or jailbroken devices
- Remove company data without wiping personal information
- Require a minimum operating-system version
- Block access when the device presents an unacceptable threat level
Conditional Access can require a supported Intune app protection policy before allowing access to selected business applications.
This can be useful where employees are expected to use personal phones but the business does not want to manage their photos, personal applications or other private information.
Can employees still use Outlook and Teams on personal phones?
That depends on the policy chosen by the business.
A strict policy could block Outlook, Teams and all Microsoft 365 access on personal mobile devices.
A more flexible policy could permit access only when:
- The employee uses an approved application
- An Intune app protection policy is applied
- The application requires a secure PIN
- Company information cannot be copied into personal applications
- The device is not rooted or jailbroken
- The operating system meets the required standard
- Microsoft supports app-based Conditional Access for both Intune-enrolled devices and employee-owned devices that are not fully enrolled.
The correct option depends on the sensitivity of the information and how employees need to work.
Can you block downloads but still allow web access?
For SharePoint and OneDrive, businesses can choose to block unmanaged devices completely or provide limited, web-only access.
Limited access can prevent or restrict activities such as downloading, printing and synchronising files to an unmanaged computer.
Microsoft confirms that controlling access from unmanaged devices in SharePoint relies on Microsoft Entra Conditional Access policies.
This can be useful for employees, contractors or temporary workers who occasionally need to view information but should not be able to keep a copy on their device.
However, limited access is not identical to using a managed company computer.
Information displayed on a screen may still be photographed, manually copied or recreated.
Access restrictions reduce risk, but they do not remove the need to trust authorised users and apply appropriate permissions.
What happens when an employee tries to sign in?
When a user attempts to access Microsoft 365, Microsoft Entra evaluates the relevant Conditional Access policies.
The outcome may be:
Access granted
The device meets the required security conditions.
Additional action required
The employee may be asked to:
- Complete multifactor authentication
- Enrol the device
- Use an approved application
- Accept company terms
- Update the operating system
- Correct a compliance problem
Access blocked
The device or application does not satisfy the policy.
The employee may see a message explaining that access has been blocked by the organisation or that the device needs to be managed.
Support staff can review the Microsoft Entra sign-in logs to identify which policy was applied and why access was refused.
What are the business benefits?
Blocking or restricting access from personal devices can help a business:
- Keep company information on approved equipment
- Reduce downloads to unknown computers
- Enforce security updates and encryption
- Confirm antivirus protection is active
- Remove company data from managed devices
- Control access when employees leave
- Reduce the risk created by shared home computers
- Apply consistent security policies
- Improve visibility of devices accessing Microsoft 365
- Support compliance and data-protection requirements
It also changes the security decision from:
> Does the employee know the correct password?
to:
> Is the employee properly authenticated, and are they using a device we trust?
This is an important principle of Zero Trust security.
Are there any disadvantages?
Blocking personal-device access can create operational difficulties if it is introduced without planning.
Possible issues include:
- Employees being unable to work from home
- Senior employees losing mobile access
- Contractors being blocked
- Users being unable to complete urgent work
- Older company devices failing compliance checks
- Employees attempting insecure workarounds
- Increased IT support requests
- Applications behaving differently across platformBusiness processes depending on personal devices
Employees may respond to restrictions by forwarding documents to personal email accounts, taking photographs of screens or using unapproved cloud applications.
The policy should therefore be supported by suitable company equipment and clear communication.
If employees are expected to work remotely, the business should provide a secure and practical way for them to do so.
What about contractors and temporary employees?
Contractors may need access to specific information without receiving a fully managed company computer.
Possible approaches include:
Providing a company-managed device
Allowing limited browser-only access
Providing access through a secure virtual desktop
Applying app protection to supported mobile applications
Restricting access to specific SharePoint sites
Giving access only for the length of the contract
Using separate Conditional Access policies for contractors
Preventing downloads onto unmanaged devices
The correct solution depends on what the contractor needs to access.
A contractor who only needs to view a small number of documents may not require the same access as an employee working with company information every day.
What happens to existing personal-device sessions?
Turning on a Conditional Access policy does not always mean that every existing application session will disappear at exactly the same moment.
Microsoft 365 uses authentication tokens and sessions that may remain valid for a period of time.
A business introducing stricter access controls should review:
- Existing mobile application access
- Browser sessions
- Registered personal devices
- Intune-enrolled personal devices
- Authentication-token behaviour
- Session controls
- Existing application passwords or legacy authentication
- Devices that have stopped reporting
In some cases, existing sessions may need to be revoked as part of the change.
This is another reason to monitor the rollout rather than assuming that creating the policy has immediately removed every form of personal-device access.
How should Conditional Access be introduced?
Conditional Access policies can have a significant effect.
A mistake could block every employee—or even every administrator—from Microsoft 365.
Microsoft provides a **report-only** mode that allows administrators to evaluate how most Conditional Access policies would affect sign-ins before the policies begin enforcing restrictions.
A sensible rollout could include:
1. Review current access
Identify:
* Which devices employees currently use
* How many personal devices are registered
* Which employees work remotely
* Whether personal mobile access is genuinely required
* Which applications contain sensitive information
* Which company devices are not enrolled in Intune
2. Decide the intended policy
The business should decide whether it wants to:
* Block personal devices completely
* Require managed and compliant devices
* Allow limited browser access
* Allow protected mobile applications
* Create different policies for different employee groups
3. Enrol company devices
Approved company computers and mobile devices should be properly enrolled in Intune and correctly identified as corporate devices.
4. Create compliance policies
Define the security requirements that devices must meet.
5. Control personal enrolment
If personal devices must not gain access, configure Intune enrolment restrictions so employees cannot enrol them as though they were company-approved equipment.
6. Configure Conditional Access in report-only mode
Review the predicted policy outcomes before enforcement.
7. Create a test group
Begin with selected employees and devices rather than applying the policy to everybody immediately.
8. Review sign-in logs
Look for unexpected blocks, unsupported applications and devices that are incorrectly identified.
9. Communicate with employees
Explain:
* Why the policy is being introduced
* Which devices will be affected
* What employees need to do
* How remote working will continue
* Who to contact when access is blocked
10. Enable the policy in stages
Expand the policy once testing confirms that approved users and devices can continue working.
Protect emergency administrator access
Every organisation using Conditional Access should maintain carefully protected emergency access accounts.
These accounts are designed to regain administrative access if a policy mistake or authentication failure locks out the normal administrators.
Microsoft recommends excluding emergency access accounts from Conditional Access policies that block or restrict sign-ins. Otherwise, an emergency account could be made unusable during the exact incident in which it is required.
Emergency accounts should be:
- Cloud-only
- Used only for emergencies
- Protected with strong authentication
- Monitored for any sign-in
- Stored securely
- Regularly tested
- Excluded carefully from blocking policies
This does not mean ordinary administrator accounts should be excluded.
Administrators should normally be subject to strong security requirements, but the organisation must retain a controlled recovery route.
Is Conditional Access included with Microsoft 365?
Conditional Access requires Microsoft Entra ID P1 or a qualifying licence that includes it.
Microsoft confirms that Conditional Access requires Entra ID P1 and that Microsoft 365 Business Premium customers can use Conditional Access features.
Microsoft 365 Business Premium also provides security and device-management capabilities through services including Microsoft Intune.
Business Basic and Business Standard do not provide the same complete device-management and Conditional Access package.
Licensing should be checked across all users affected by the policies. It is not sufficient to assume that purchasing one licence provides compliant usage rights for the entire organisation.
Is blocking personal devices right for every business?
Not necessarily.
Complete blocking may be appropriate when:
- The business handles highly confidential information
- Employees are provided with company devices
- Regulatory requirements demand strong controls
- There is little legitimate need for personal-device access
- The business needs strict control over downloads
- Employees regularly handle customer or financial records
A more flexible approach may be appropriate when:
- Employees frequently use personal mobile phones
- The business operates a bring-your-own-device policy
- Contractors require temporary access
- Company equipment cannot be provided to every worker
- Limited web access is sufficient
- Mobile application protection can control the relevant information
The decision should be based on risk and working requirements.
The goal is not to introduce the strictest possible policy regardless of disruption.
The goal is to ensure that employees can work without giving unknown and insecure devices unrestricted access to business information.
How can Hamilton Group help?
At Hamilton Group, we can help your business control how employees access Microsoft 365 from company and personal devices.
We can assist with:
- Microsoft Conditional Access
- Microsoft Entra ID
- Microsoft Intune deployment
- Company-device enrolment
- Device compliance policies
- Personal-device restrictions
- Mobile application protection
- SharePoint and OneDrive access controls
- Microsoft 365 security reviews
- Multifactor authentication
- Employee onboarding and offboarding
- Remote-working security
- Microsoft 365 licensing reviews
- Conditional Access monitoring
- Emergency administrator accounts
We can review which devices currently have access, identify personal or unmanaged equipment and recommend a policy that reflects how your employees actually work.
This could mean completely blocking personal devices, allowing limited browser access or protecting company information inside approved mobile applications.
Microsoft 365 gives employees the ability to work from almost anywhere.
Conditional Access helps make sure they are doing so from the right devices and under the right security conditions.
Contact Hamilton Group to discuss how Conditional Access and Microsoft Intune can help protect your business information.
Call us on 0330 043 0069 or book an appointment with one of our experts.