BYOD, CUI, and Microsoft 365

Our own senior compliance engineer, Steven shares some insights on Conditional Access Policies as it pertains to Bring Your Own Device while working with Controlled Unclassified Information.

Steven Molter
May 17, 2023


Ahh! BYOD, or Bring Your Own Device; the ever-so-challenging piece of the NIST SP 800-171/CMMC puzzle. Don’t ya’ just love wrestling with all the implications of having BYOD in your environment? It’s what gets me out of bed in the morning... just kidding. BYOD security is one of those areas that every company must address in one way or another as they prepare for CMMC and the considerations related to CUI encryption, in NIST 800-171, (3.1.19, 3.13.11, 3.13.16), Mobile device connections (3.1.1, 3.1.18, 3.1.20), etc. In my experience, many individuals responsible for implementing security controls and policies to comply with CMMC struggle with BYOD and how to address it. I recognize that every company is different and has unique circumstances, however, that does not mean some global guidance can't provide contextual support in these endeavors. My goal here is to help companies consider how they are going to address BYOD by giving some hands-on perspective related to one very common use case.

The Scenario.

For many small businesses, the typical extent of BYOD device usage is the usage of Microsoft Teams and Outlook email through a company account. Individuals responsible for security and compliance are often concerned with the amount of data access unmanaged devices have (especially if CUI resides in their corporate Microsoft 365 tenant). On the other hand, those responsible for IT administration and a user-friendly environment don't want a data protection solution that is cumbersome for the employees who use those applications. Both perspectives are valid and there will always be give-and-take between a good security posture and end-user convenience. Additionally, when you throw compliance requirements into the mix (yes, you read that correctly; compliance is not always the same thing as security), it can really make it challenging to come to a consensus on which solution fits just right. Thankfully, in our mentioned use case, there is a solution that I believe can help ease the concerns of both IT team and CISOs alike: Conditional Access Policies and Intune MAM App Protection Policies.

Conditional Access Policies.

Conditional Access (CA) Policies are Microsoft Entra-level configurations that set the conditions by which a user (or device) can (or cannot) access resources housed in the tenant. Conditional Access is the mechanism by which, in this scenario, App Protection Policies (APP) are technically enforced which, in turn, requires data to be protected in an isolated, encrypted, and containerized form. APPs can be enforced with Conditional Access in Entra to ensure that users will not be able to access organizational data from applications on a personal device unless these protections are in place.

App Protection Policies.

App Protection Policies (APP) are application-level configurations that manipulate the way the configured managed applications on mobile devices interact with organizational data stored in the Microsoft 365/Entra AD Tenant (Commercial, GCC, or GCC High). APPs can be implemented to ensure that data being accessed on the personal/unmanaged device is kept in an encrypted, containerized instance within the app and isolated from the rest of the data residing on the device. Below is the diagram Microsoft provides to illustrate the APP concept which is directly relevant to many small businesses’ cloud-first/cloud-only use cases:

How hiring a team of Cyber Experts can help:

It is recommended that you implement these solutions in order to protect corporate data while also giving the end user the convenience of using their personal devices for work communications with the Outlook and Teams applications. Many of our clients have greatly benefited from this approach, but every organization has different internal requirements, budgets, and risk appetites. Protecting data in your Microsoft 365/Entra AD tenant is no different.

If your organization is struggling to get compliant with NIST’s stipulations around encryption, mobile device connections, or any other requirements, you could greatly benefit from seeking help from a Cyber Compliance Expert, or MSSP. IntelliGRC welcomes the opportunity to help you create a compliance roadmap that is tailored to your needs.

Steven Molter is a Sr. level Compliance Engineer at IntellGRC. In addition to supporting users in our GRC SaaS platform, Steven and our team of knowledgeable experts provide industry peers with numerous cybersecurity services. We are happy to provide free consultations and, pending an engagement, can do configurations and testing for you as well! Contact us today!