How do you configure conditional access policies within Azure Active Directory to require multi-factor authentication (MFA) specifically when users access SharePoint Online from unmanaged devices?

To configure conditional access policies in Azure Active Directory (Azure AD) to require multi-factor authentication (MFA) specifically when users access SharePoint Online from unmanaged devices, follow these steps: First, access the Azure portal and navigate to Azure Active Directory > Security > Conditional Access. Create a new policy. Give the policy a descriptive name. Under 'Assignments', select 'Users and groups' and specify the users or groups to which the policy will apply. This can be all users, specific groups, or a combination. Next, under 'Assignments', select 'Cloud apps or actions' and choose 'Select apps'. Search for and select 'SharePoint Online'. This ensures the policy applies only when accessing SharePoint Online. Then, under 'Conditions', select 'Device state'. Configure this condition to target 'Not configured'. Set 'Include' to 'Yes' for 'Device is Hybrid Azure AD joined' and 'Device is marked as compliant'. Set 'Exclude' to 'Yes' for both 'Device is Hybrid Azure AD joined' and 'Device is marked as compliant'. This configuration effectively targets devices that are not managed by your organization (i.e., not Hybrid Azure AD joined or marked as compliant via Intune). Finally, under 'Access controls', select 'Grant'. Choose 'Grant access' and select the 'Require multi-factor authentication' option. You can also choose to require one or more other controls, such as requiring a compliant device or a Hybrid Azure AD joined device, but for this scenario, only MFA is required. Ensure the policy is set to 'On' to enable it. This policy will now require MFA for any user accessing SharePoint Online from a device that is not managed by your organization, adding an extra layer of security for accessing sensitive data from untrusted devices.