With the procedure described in this post, you can ensure that only devices with an assigned Microsoft 365 compliance policy are able to sign in. This way, you will significantly improve the security of your Microsoft 365 deployment.

I assume here that your Microsoft 365 license includes Intune and that you are familiar with creating Azure AD groups. The aim of the process we will follow is to ensure that only compliant devices are able to access resources, and then control what makes a device compliant.

First, we will log in to Azure AD and create a group for our compliant devices.

Create an Intune Approved Devices group

Create an Intune Approved Devices group

This group will be populated manually by an administrator when a device is onboarded. Once your group is created, switch to Endpoint Manager and load compliance policies.

Go to Endpoint Manager and open Compliance policies

Go to Endpoint Manager and open Compliance policies

Next, navigate to Compliance policy settings.

Go to Compliance policy settings

Go to Compliance policy settings

Then, deactivate Make devices with no compliancy policy assigned as compliant.

Change default Compliance policy settings

Change default Compliance policy settings

Making this simple change means that a device cannot be considered compliant just by enrolling in Intune; it must have a policy assigned. In the next step, we will ensure that the compliance policies only apply to devices in our approved group.

If you already have a compliance policy, go to its properties. If you have no compliance policies yet, you can use the instructions here to create one.

In my example policy below, I have assigned it to All Devices.

Basic Intune compliance policy

Basic Intune compliance policy

Click Edit next to Assignments, then remove the All Devices object.

Remove All Devices from the compliance policy

Remove All Devices from the compliance policy

Now use the Add Groups button to add the group we made earlier.

Adding a Group to Compliance Policy

Adding a Group to Compliance Policy

Approved Devices group added to the policy

Approved Devices group added to the policy

Our group currently has no members in it, so at this point, you will want to add any devices you want to be trusted to the group.

Save the changes to your policy.

The next step is to create a conditional access policy that grants access only to compliant devices.

Note these points before you begin:

  1. Test this configuration before you roll it out to your entire organization.
  2. Mobile devices and browsers may not behave as expected; see this example.
  3. Make sure you don't inadvertently lock yourself out of your own tenant.
  4. Consider that restricting access to compliant devices may impact your organization if people sign in to services like SharePoint using unmanaged devices.

Switch back to Azure AD and navigate to Security and Conditional Access.

Click to create a new policy.

Create a new conditional access policy

Create a new conditional access policy

The policy we create here will be for testing our deployment of approved devices. Thus, we will apply it only to a specific user account.

Under Users or workload identities, select Users and groups, and then choose your pilot user.

Apply policy to single user

Apply policy to single user

Select all cloud apps

Policy applies to all cloud apps note the warning displayed

Policy applies to all cloud apps note the warning displayed

Keep the Conditions blank, and set Access Controls to Grant access and Require device to be marked as compliant.

Grant access to device marked compliant note the warning displayed

Grant access to device marked compliant note the warning displayed

Review your policy choices, and ensure that you are not about to lock yourself out.

Set the policy to On and click Create.

Review your new policy and click Create

Review your new policy and click Create

When your pilot user tries to sign in to Microsoft 365, they will be allowed access if they are on a compliant device. If not, they will be denied access. Depending on the app or browser they use, the message may differ.

As you can see in the screenshot below, despite me signing into portal.office.com and completing an MFA challenge, I am still blocked from accessing resources.

Blocked from accessing resources on noncompliant device

Blocked from accessing resources on noncompliant device

If you switch to Azure AD and navigate to Sign-in logs, you will see a corresponding failure entry.

Subscribe to 4sysops newsletter!

Azure AD sign in log failure entry

Azure AD sign in log failure entry

Using this method, you can increase the security of your tenant with only a small administrative overhead when onboarding new devices.

0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account