question

TalhaAhmed-8531 avatar image
0 Votes"
TalhaAhmed-8531 asked LuDaiMSFT-0289 commented

Conditional access policies to protect company data with computers enrolled using Dem account?

The client was using Dem account to enroll the devices to intune and now we need to apply conditional access policies to protect company data. I checked the article which has below limitation for Dem account.

• DEM accounts do not support conditional access because conditional access is intended for per-user scenarios.

We are looking to find a way out with out removing or going through the re-enrollment process of all devices. Can we just change the primary user on those PCs from Dem to standard user and conditional access will work? Computer on intune is showing both Enrolled by and primary user as DEM User Email at the moment.



Regards,

mem-intune-generalmem-intune-enrollment
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LuDaiMSFT-0289 avatar image
0 Votes"
LuDaiMSFT-0289 answered LuDaiMSFT-0289 commented

@TalhaAhmed-8531 Thanks for posting in our Q&A.

If you want to deploy conditional access policies to windows devices, it is suggested to change the primary user.
https://docs.microsoft.com/en-us/mem/intune/remote-actions/find-primary-user#change-a-devices-primary-user
Change the DEM user to a normal user and the normal user is needed to have an Azure Active Directory Premium license.

Please deploy conditional access policies to this normal users. And use the normal user account to access the resources protected by conditional access policies.

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 6
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TalhaAhmed-8531 avatar image TalhaAhmed-8531 ·

Hi,
while reading my question again, I realize that it was not as clearly written so I made for changes for clarification.

So just to clarify, you are saying that even though device has been enrolled in intune using DEM user, changing the primary user on device from DEM to standard user(with intune licenses) will allow me to implement conditional access on that device?
I think I can change the primary user on intune enrolled device from portal itself, correct?

0 Votes 0 ·
LuDaiMSFT-0289 avatar image LuDaiMSFT-0289 TalhaAhmed-8531 ·

@TalhaAhmed-8531 Yes. You can change the primary user on device from DEM to standard user in intune portal. Then you can deploy conditional access policy on the standard user. Please understand that conditional access policy is needed to deploy to user scope.

0 Votes 0 ·
TalhaAhmed-8531 avatar image TalhaAhmed-8531 LuDaiMSFT-0289 ·

got it and thanks for clarification on user scope policy part.
That means that even If I leave the DEM user as primary user on that machine, any intune licensed user with policies assigned on him, who is signing in to enrolled device will see policies implemented or should I have to first switch the primary user on device?

thanks

0 Votes 0 ·
Show more comments