Lock Microsoft 365 access to an approved PC or phone by using Microsoft Entra ID Premium P1 only. No device-enrolment, no Intune MDM.
Why you might do this
- Consultants need e-mail on one corporate laptop but never on personal machines
- Small businesses on Business Standard want device restrictions without paying for full Intune
- Pilot step before rolling out full MDM
What you need
| Item | Why |
|---|---|
| Microsoft Entra ID Premium P1 | Enables Conditional Access (CA) and device filters |
| Device Registration Service (DRS) | Lets Windows and mobile devices create an AzureADRegistered object |
| One sign-in from each approved device | Generates the device record |
(Everything below is licence-compliant as long as each user governed by the CA policy holds an Entra ID P1 licence.)
Step 1 Enable Device Registration
- Entra Admin Center → Devices → Device settings
- Set Users may register their devices with Azure AD = All
This switch costs nothing and is not Intune enrolment; it simply allows Workplace-Join.
Step 2 Register the Windows PCs
textCopyEditSettings ▶ Accounts ▶ Access work or school ▶ Connect
→ "Join this device to Azure AD"
—or— push Hybrid Azure AD join via GPO.
Result: device shows as AzureAD (cloud) or HybridAzureAD in Entra.
Step 3 Register an Android / iOS phone (optional)
- Install Microsoft Authenticator.
- Add the work account.
- Authenticator → Settings → Device registration → Register device
This one tap adds an AzureADRegistered object; no MDM, no Company Portal enrolment.
Step 4 Build a “Whitelist”
Option A – Security group
Entra ID → Groups → New group → Security
Add each approved device object.
Option B – Device Filter
kustoCopyEdit(device.deviceId -in ["fd3d-...","a9b7-..."])
and (device.trustType -ne "AzureADRegistered") // optional filter
Step 5 Create the Conditional Access Policy
| Blade | Setting |
|---|---|
| Users | All (exclude break-glass admins) |
| Cloud apps | Office 365 (or SharePoint, Exchange) |
| Conditions → Device platforms | Windows (plus iOS/Android if you added phones) |
| Conditions → Filter for devices | Include the whitelist group OR KQL filter |
| Grant | Grant access: Require device to be Azure AD or Hybrid Azure AD joined |
The CA wizard lives at Entra Admin Center → Conditional Access .
When you open the policy later the overview tile looks like the screenshot above .
Step 6 Verify
- Wait ~10 minutes after registration.
- Entra ID → Devices → All devices — confirm the join-type and device ID.
- From the approved PC, sign in to Outlook Web; it should succeed.
- From an unregistered machine (or incognito VM) the same sign-in is blocked with AADSTS50105.
Troubleshooting tips
| Issue | Fix |
|---|---|
| Phone never appears | Open Authenticator → Register device manually; ensure DRS is enabled; check user hasn’t exceeded device quota. |
| CA blocks everyone | Temporarily set policy to Report-only; check sign-in logs for DeviceId field. |
| macOS/Linux needed | Not possible without MDM; route those users through Windows 365 / Azure Virtual Desktop instead. |