Woman talks via Teams to a colleague in her home, using her own device thanks to a secure BYOD policyIn light of current events, most organisations  – whether in the public or private sector – have needed to rapidly adopt or expand home working. For some organisations, this has required the use of employee’s personal devices (bring your own device/BYOD policy).

In order to manage the risks associated with BYOD, we worked with the Cabinet Office and NCSC to produce guidance on how you can use Microsoft technologies to mitigate the risks associated with employee access to systems and services remotely through unmanaged devices.

Improve employee access

Specifically, we’re looking at how you can access Microsoft 365 services in a way that helps you meet your obligations and leverages its features and capabilities. This guidance doesn’t suggest a BYOD policy is a one and done job. It does, however, draw on the broad experience across the UK government industry and draws heavily on already existing best practice.

The controls described in this document intend to help you understand why the specific security controls are used. It also provides step-by-step configuration guidance which your IT team can use to quickly set up and manage your data on personal devices. This allows organisations to understand how the features and capabilities in Azure Active Directory, Microsoft Intune, and Microsoft 365 can be used.

Man working inside his home writing with digital pen, on his own device via a BYOD policy

These factors all come together to ensure employees can securely access their work while keeping your organisation’s data secure on personal devices. It helps employees stay productive and collaborate together securely, no matter what device they are using.

Good, better, best blueprint for your BYOD policy

To support this effort, we’ve created a blueprint. This blueprint has been developed to support the use of BYOD scenarios where organisations are not able to provide corporate laptops or mobile devices.

The technical controls that are described in this document have been grouped into three categories, good, better, and best. The rationale for the groupings is described below:


  • Forms the minimum level of configuration that all organisations should meet.
  • Available with Microsoft 365 E3 license.
  • Can be implemented using simple configuration tasks.
  • Browser-based access for PC and Mac.
  • Approved apps for mobile devices.
  • MFA and Restricted Session Controls in Exchange Online and SharePoint Online.


  • Forms the level that organisations should aspire to.
  • Available with Microsoft 365 Security and Compliance Package components or M365 E5.
  • Might require more complex configuration tasks.
  • More flexible and granular control of user policies, session controls using Microsoft Cloud app.
  • Lower residual risk than Good pattern.
  • Browser-based access for PC and Mac.
  • Approved apps for Mobile Devices.


  • Utilises Windows Virtual Desktop (WVD) to provide a solution that matches as closely as possible the same experience of working in the office on corporate IT, from any device.
  • With good management it significantly reduces the unmanaged surface by providing a virtualised corporate desktop for home workers, utilising their personal computing device.
  • Lowest risk approach compared to Good and Better patterns.

Good, better, best blueprint for BYOD policies

So which BYOD policy route is right for you?

The decision flow below aims to help you determine which of the patterns you should use. For example, if an organisation has Microsoft 365 Security and Compliance Pack (SCP) or M365 E5 licenses, then the control used in the Better solution will provide a lower residual risk and therefore should be used.

Blueprint to choose the best BYOD policy

Reduce your risk security posture with BYOD

Woman working in PowerPoint on an iPhone inside in her kitchen, securely with a BYOD policy.Having a strong BYOD policy improves barriers to work for your remote workforce. It also enables them to be able to connect, work, and meet together online no matter where they are, securely.

For your IT team, this guide provides thorough step-by-step instructions to set up BYOD controls while helping manage security. This means they can implement these controls across your digital estate quickly and remotely.

By using the guidance, you can enable your organisation to move to a lower risk security posture when utilising BYOD.

Find out more

Download the blueprint: BYOD Technical Guide

Watch the webinar: Security controls for remote work

Read more: 4 ways to protect your organisation and mitigate the threat of ransomware

About the authors

Stuart AstonStuart has been with Microsoft in the UK since 1998 and is the National Security Officer for Microsoft in the UK. Prior to that, he has worked as strategy consultant to a variety of UK Government customers, mostly within the defence arena, and run a number of Government Programs with the UK including the Government Security Program, the Security Co-Operation Program, and the Welsh Language Program. He still continues to run the UK GSP program today. Prior to joining Microsoft, Stuart worked as a consultant for ICL in their Power of 4 Consultancy, mostly focused in the defence and government spaces. Before ICL, he worked for Barclays Bank in a number of application development and IT infrastructure roles. He has been actively involved in computer security-related activities since the early 1980’s.


Nick LinesNick is passionate about transforming every person and organisation to be more productive and more secure in his role as Security Product Marketing Lead within the Microsoft modern workplace team. A geek at heart, he spends his spare time experimenting with lasers and 3D printers with his two sons, keeping old computers alive (particularly Commodores), and learning about mechanics to keep an ageing British sports car on the road.