Create Policy differentiation from a BYOD vs CYOD device both PC and Mobile devices.
Many organizations would like to specify certain applications can only be accessed via corporate owned assets but would still like to take advantage of BYOD scenarios for other applications. To that end a differentiation of devices from BYOD and CYOD through to PC's would be great.
Also there should be a process to move devices between the two groups.
Pirmin Felber commented
Totally agree. I suggest a differentiation using the DeviceTrustType Property of AzureAD.
On-premises we can do that by synching back that property back to AD and evaluate the DeviceTrustType in ADFS Conditional Access. But that requires ADFS 2016, Device-Writeback and Custom SynchRules.