![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 39%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMH%3C/text%3E%3C/svg%3E)
Exchange Online
A Microsoft email and calendaring hosted service.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 9%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKN%3C/text%3E%3C/svg%3E)
Hi @MailAdminHaldia,
Welcome to Q&A!
I understand you'd like to ensure that a specific mail ID (Exchange Online account) can only be accessed from one specific device, which is already connected to Azure Entra ID.
To help you with your request, can provided some additional information:
- When you said you have Intune, did you meant that the device is enrolled in Intune?
Go to Intune Admin Portal: Go to Devices > All Devices to check if the device appears there. - What type of device is it?
Is it a Windows PC, macOS, or a mobile device like Android or iPhone?
Assuming that your device is already enrolled to Intune, you can assign the Mail ID to that specific device and create Conditional Access Policy so only that device can access to that Mail ID.
1.Assign the Mail ID to the Device
- In Intune Admin portal: go to Devices > All Devices, select the device.
- Go to Properties > Primary User and assign the mail ID (user account) to the device.
- This links the user to the device for policy targeting.
2. Create a Devices Group (Optional but Recommended)
- Go to Groups > All Groups > + New Group.
- Choose Security group, name it, and add the device as a member.
- This helps organize and target policies more easily.
3. Create a Compliance Policy
- Go to Endpoint Security > Device Compliance.
- Create a policy for the device type to ensure its secure (e.g., password required, encryption enabled) and assigned the device Group to this Policy.
- This marks the device as compliant, which is required for Conditional Access.
4. Set Up Conditional Access
- Go to Microsoft Entra Admin Center > Conditional Access > + New Policy.
- Assign the policy to the specific user (mail ID).
- Target Exchange Online as the cloud app.
- Under Conditions > Filter for Devices, set a filter using the device ID. (You can find it on Intune by going to Devices>All Devices, select your devices>Hardware, the Intune Device ID is the Device ID)
- Under Grant, require the device to be marked as compliant.
This setup ensures that only the assigned device, when compliant, can access the mail ID.
Additionally, I found an article that provided guide for your specific request, you can check it here.
Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link
Kindly let me know if this approach fits your request, or if you have any issues during the set up. I'm happy to assist further.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.