To ensure that a BYOD device meets the necessary security standards, you should ensure it is enrolled in AD, or the user enrolls in the MDM solution. These options will enable central configuration of the security required.

Some cloud services, such as Azure AD, can then use conditional access policies to ensure access is only granted to specific services if the device is compliant and/or domain joined.

Device configuration requirements can vary from one company to another, but the fundamental configurations that should be enforced include:

BitLocker full drive encryption: Ensuring no content stored on the local drive can be accessed without the appropriate key, which is stored in a Trusted Platform Module (TPM) chip
Device Guard: Ensuring the hardware and software components are enabled to protect the system by only allowing trusted applications to run
Secure local administration: Ensuring the user does not logon with local admin rights
Secure authentication: Enable and enforce minimum requirements for the security of authentication, such as Microsoft Passport and Windows Hello
Windows Defender: This or other virus and threat protection solution should be enabled, updated, and actively protecting the operating system, applications, and data
Software patches: These must be applied very soon after they are made available, reducing the window of opportunity for any potential attack vectors

For a full listing of device security considerations, review this article: https://docs.microsoft.com/en-us/windows/device-security/.