How to setup MFA on Unmanaged Devices Only

Multi-Factor Authentication (MFA) is like adding an extra lock to your front door – even if someone steals your key (password), they still can’t get in without a second proof, like a code on your phone.

But here’s the thing – not every device needs the same level of interruption.

In Microsoft 365 and Entra ID (formerly Azure AD), you can set up MFA on unmanaged devices (personal devices or ones not controlled by your IT team) without making life harder for staff on company-managed computers.

This setup, often called Multi-Factor Authentication for unmanaged devices or BYOD MFA policy, is perfect for:

• Protecting your data from risky logins
• Avoiding extra MFA prompts on trusted, compliant devices
• Enforcing stronger security on personal laptops, phones, or tablets that don’t follow company policies

With Conditional Access, you can require MFA for unmanaged personal devices, exclude managed devices from MFA prompts, and even fine-tune rules for BYOD setups.

This guide will show you how to configure Conditional Access MFA for unmanaged devices step-by-step, so you get the best MFA solution for BYOD setups without slowing down your team.

Personal or BYOD (Bring Your Own Device) devices can be less safe because they may not have your company’s security settings.

Using Multi-Factor Authentication (MFA) only on these unmanaged devices adds extra protection without slowing things down on trusted work devices.

It also helps avoid MFA fatigue, which happens when people get too many login prompts and start ignoring them.

With conditional access, company devices skip extra steps, but personal devices get an extra check.

This approach also helps meet rules like ISO, GDPR, and HIPAA, which need stronger security for untrusted devices. It’s a key part of a broader strategy to optimize your Microsoft 365 security posture without overwhelming users.

Before you start, make sure you have:

• Microsoft Entra ID Premium P1 license – Needed for Conditional Access. This comes with Microsoft 365 E3/E5 or can be bought separately.
• Device management set up – Most companies use Microsoft Intune to mark work devices as compliant. This helps tell the difference between managed and unmanaged devices. If you're working on improving identity security, these top configurations to boost your secure score are a great next step.
• MFA method ready for users – Each user should have at least one MFA option set up, like the Microsoft Authenticator app, text message, or phone call.

Once these are in place, you can set up the rule to require MFA only on unmanaged devices.

1. Open the Microsoft Entra admin center (entra.microsoft.com)
2. In the left-hand menu, navigate to Entra ID > Conditional Access.

3. Click + Create new policy and give it a meaningful name.

4. In the Include section, assign it to the users or groups you want.

5. Always exclude break-glass accounts — these are emergency access accounts or groups used to prevent lockout during policy failures.

6. Choose whether it applies to all apps or just certain ones.

If you're also looking to restrict access based on location, you can configure policies to block specific IPs as part of your Conditional Access setup.

7. In Conditions, select Device platform and include all the required platforms.

8. Within the Conditions section, select Filter for Devices

9. Set the configuration to Yes. Choose the option Exclude filtered devices from policy and add the expression isCompliant equals True. This makes sure MFA only triggers on devices that aren’t marked as compliant.

10. Within the conditions section, select Client apps, set the configuration to Yes, and choose the applications to which the policy will apply.

11. Under Access controls, select Grant and choose the option to require multi-factor authentication.

12. After configuring, first publish the policy in Report mode to test it, then switch it ON to enforce it for tenant members.

That’s it — your MFA rule will now only apply when someone signs in from an unmanaged device.

To confirm whether your Conditional Access policy – MFA for Unmanaged Devices – is functioning as intended, the most effective method is to review the Sign-in Logs available in Microsoft Entra under the Monitoring section.

Steps to Check Policy Application:

1. Navigate to Sign-in Logs
   Go to Microsoft Entra Admin Center → Monitoring → Sign-in Logs.
2. Review Sign-in Events
   Here, you'll find a list of all user sign-in attempts. Each entry includes details such as the user, device, location, and time of access.
3. Inspect Specific Sign-in Details
   Click on a specific sign-in event to open its detailed view.
4. Go to the Conditional Access Tab
   This section shows all Conditional Access policies evaluated during the sign-in and whether each policy was applied, not applied, or report-only.
5. Verify Your Policy
   Look for the "MFA for Unmanaged Devices" policy in the list. You’ll be able to see whether it was triggered, the outcome and any reasons it may not have applied (e.g., device not matching filter criteria).

To keep your MFA setup working well:

• Test first – Try the policy with a small group before using it for everyone.
• Teach your users – Show them how MFA works and what to do if they get an unexpected prompt.
• Check sign-in logs – Look for strange sign-in attempts in the Microsoft Entra admin center. Pairing this with session timeout policies can help reduce risks from unattended or idle sessions.
• Update rules when needed – Make sure your device compliance and MFA settings stay up to date. Make sure your device compliance and MFA settings stay up to date. You can also prevent sensitive file downloads on mobile to further protect data on unmanaged devices.

Pro Tip: Use sign-in logs in the Microsoft Entra admin center to track when MFA was triggered. This helps you spot any unusual sign-in attempts from unmanaged devices early.

1. Go to https://admin.microsoft.com/, click on the “Teams & groups” tab on the left navigation, and click “Active teams & groups”.

Setting up MFA only for unmanaged devices is a smart move. It keeps your company’s data safe while making sure employees on trusted work devices aren’t slowed down every day.

By combining Conditional Access with device compliance, you get the best of both worlds – strong security and a smooth user experience.

Need help? Our Microsoft 365 experts can guide you step-by-step, review your current setup, and make sure your security is rock solid without frustrating your team.
Contact us today to get started.

1. What is an unmanaged device in Microsoft 365?
   An unmanaged device is any computer, phone, or tablet not controlled by your company’s IT team. It doesn’t follow your organization’s security settings or device compliance rules.
2. How do I ensure OneDrive sync is restricted for unmanaged devices?
   Use Conditional Access policies or SharePoint settings in the Microsoft 365 admin center to block OneDrive syncing on devices that aren’t marked as compliant or not joined to your company’s domain.
3. What is the meaning of unmanaged device?
   It means a device that isn’t enrolled in your organization’s device management system, like Microsoft Intune, and doesn’t follow security policies.
4. What is the difference between managed and unmanaged devices in Intune?

• Managed devices are enrolled in Intune and follow your company’s security and compliance rules.
• Unmanaged devices are not enrolled and don’t follow these rules, so they are riskier.

5. What is the difference between managed and unmanaged Microsoft devices?
   “Managed” devices are controlled by IT with policies and security settings. “Unmanaged” devices are outside of IT control.
6. How to disable MFA for one user in Microsoft 365?
   In Conditional Access, you remove that user from policies that require MFA.
7. What is an unmanaged device in SharePoint?
   A device that accesses SharePoint but doesn’t meet your organization’s security or compliance requirements.
8. How do I allow syncing only on computers joined to a specific domain?
   In SharePoint admin settings, enable “Allow syncing only on domain-joined computers” and add your domain details.
9. How do I restrict OneDrive access to only users in specific security groups?
   Use Conditional Access to apply restrictions only to certain security groups.
10. What is a Microsoft managed device?
    A device enrolled in Intune or another Microsoft management service, following company security policies.
11. What is managed and unmanaged solution in Dynamics 365?

• Managed solution – Locked and can’t be changed directly.
• Unmanaged solution – Open for changes and customization.

12. How do I get rid of “This device is managed by your organization” message?
    Unenroll the device from Intune or your company’s Mobile Device Management (MDM) system if it’s no longer used for work.
13. How do I restrict access to my device in Office 365?
    Use Conditional Access policies to block or limit sign-ins based on device compliance, location, or app used.
14. Can I set MFA for only some unmanaged devices?
    Yes. With Conditional Access MFA for unmanaged devices, you can apply policies to specific users, groups, or apps.
15. Do I need Intune to set this up?
    Not always. Intune is the easiest way to mark devices as compliant, but other MDM tools integrated with Microsoft Entra ID can also work.
16. Will MFA on unmanaged devices slow down login?
    It adds a quick extra step, but users with the Microsoft Authenticator app find it fast and simple.
17. Can I use this policy without affecting mobile apps?
    Yes. You can set your Conditional Access policies to include or exclude mobile platforms.
18. How do I know if the policy is working?
    Check Sign-in logs in the Microsoft Entra admin center to see when MFA was triggered and which devices caused it.