- Restricting registration to Azure AD MFA from trusted locations with Conditional Access policy - Thu, Nov 24 2022
- Azure AD MFA with number matching and temporary access passes - Tue, Nov 22 2022
- Microsoft 365 compliance policy: Control access with compliant devices - Thu, Nov 17 2022
I assume here that your Microsoft 365 license includes Intune and that you are familiar with creating Azure AD groups. The aim of the process we will follow is to ensure that only compliant devices are able to access resources, and then control what makes a device compliant.
First, we will log in to Azure AD and create a group for our compliant devices.
This group will be populated manually by an administrator when a device is onboarded. Once your group is created, switch to Endpoint Manager and load compliance policies.
Next, navigate to Compliance policy settings.
Then, deactivate Make devices with no compliancy policy assigned as compliant.
Making this simple change means that a device cannot be considered compliant just by enrolling in Intune; it must have a policy assigned. In the next step, we will ensure that the compliance policies only apply to devices in our approved group.
If you already have a compliance policy, go to its properties. If you have no compliance policies yet, you can use the instructions here to create one.
In my example policy below, I have assigned it to All Devices.
Click Edit next to Assignments, then remove the All Devices object.
Now use the Add Groups button to add the group we made earlier.
Our group currently has no members in it, so at this point, you will want to add any devices you want to be trusted to the group.
Save the changes to your policy.
The next step is to create a conditional access policy that grants access only to compliant devices.
Note these points before you begin:
- Test this configuration before you roll it out to your entire organization.
- Mobile devices and browsers may not behave as expected; see this example.
- Make sure you don't inadvertently lock yourself out of your own tenant.
- Consider that restricting access to compliant devices may impact your organization if people sign in to services like SharePoint using unmanaged devices.
Switch back to Azure AD and navigate to Security and Conditional Access.
Click to create a new policy.
The policy we create here will be for testing our deployment of approved devices. Thus, we will apply it only to a specific user account.
Under Users or workload identities, select Users and groups, and then choose your pilot user.
Select all cloud apps
Keep the Conditions blank, and set Access Controls to Grant access and Require device to be marked as compliant.
Review your policy choices, and ensure that you are not about to lock yourself out.
Set the policy to On and click Create.
When your pilot user tries to sign in to Microsoft 365, they will be allowed access if they are on a compliant device. If not, they will be denied access. Depending on the app or browser they use, the message may differ.
As you can see in the screenshot below, despite me signing into portal.office.com and completing an MFA challenge, I am still blocked from accessing resources.
If you switch to Azure AD and navigate to Sign-in logs, you will see a corresponding failure entry.
Subscribe to 4sysops newsletter!
Using this method, you can increase the security of your tenant with only a small administrative overhead when onboarding new devices.