To restrict access to Office 365 so that only managed Windows 10 devices can access it, create an application-specific access policy rule configured with Windows 10 Enrollment device type. This will allow unmanaged devices to enroll and become managed.

You create or update a second access policy rule that uses Windows 10 as a device type. The rule is configured to authenticate using the Certificate (Cloud Deployment) method with no fallback configured. When users try to access Office 365, if the device is unmanaged, the Office 365 app launch fails, and the Windows 10 Enrollment rule is applied to enroll and manage the device. Uses trying to access Office 365 with a managed device are authenticated based on the second access policy rule.


  • Office 365 configured with the primary identity provider. The primary identity provider can be Workspace ONE Access, Okta, or ADFS. Workspace ONE Access must be configured as the secondary identity provider when Okta or ADFS is the primary identity provider.
  • Device enrollment is managed through the Windows 10 Out-of-Box experience (OOBE) or when joining the Azure Active Directory domain.
  • Authentication methods configured and enabled for the identity provider.
  • Office 365 app added to the Hub catalog.


  1. In the Workspace ONE Access console Resources > Policies page, click Add Policy.
  2. Add a policy name and description in the respective text boxes.
  3. In the Applies To section, select the applications that require restricted access.
  4. Click Next.
  5. Click Add Policy Rule to add a rule.
    Option Description
    If a user's network range is Select a network range.
    and user accessing content from Select Windows 10 Enrollment as the device type.
    and user belongs to groups If this access rule is going to apply to specific groups, search for the groups in the search box.

    If no group is selected, the access policy rule applies to all users.

    Then perform this action Select Authenticate using....
    then the user may authenticate using Select the authentication method to use.
    Important: Do not use Certificate (Cloud Deployment). Devices do not have the proper certificate before the device is enrolled.

    To require users to authenticate through two authentication methods, click + and in the drop-down menu select a second authentication method.

    If the preceding method fails or is not applicable, then Configure a fallback authentication method, if necessary.
    Re-authenticate after Select the length of the session, after which users must authenticate again.
  6. Click Save.

What to do next

You can now update the access policy configured for Windows 10 device type. The authentication method selected continues to be Certificate (Cloud deployment) but remove any fallback authentication methods that were configured.