- Microsoft Teams freezes: Set cam permissions for conferencing apps - Tue, Mar 21 2023
- Microsoft 365 Apps admin center: Remote Office configuration - Wed, Mar 8 2023
- Encrypt email in Outlook with Microsoft 365 - Tue, Dec 6 2022
I assume here that your Microsoft 365 license includes Intune and that you are familiar with creating Azure AD groups. The aim of the process we will follow is to ensure that only compliant devices are able to access resources, and then control what makes a device compliant.
First, we will log in to Azure AD and create a group for our compliant devices.
Create an Intune Approved Devices group
This group will be populated manually by an administrator when a device is onboarded. Once your group is created, switch to Endpoint Manager and load compliance policies.
Go to Endpoint Manager and open Compliance policies
Next, navigate to Compliance policy settings.
Go to Compliance policy settings
Then, deactivate Make devices with no compliancy policy assigned as compliant.
Change default Compliance policy settings
Making this simple change means that a device cannot be considered compliant just by enrolling in Intune; it must have a policy assigned. In the next step, we will ensure that the compliance policies only apply to devices in our approved group.
If you already have a compliance policy, go to its properties. If you have no compliance policies yet, you can use the instructions here to create one.
In my example policy below, I have assigned it to All Devices.
Basic Intune compliance policy
Click Edit next to Assignments, then remove the All Devices object.
Remove All Devices from the compliance policy
Now use the Add Groups button to add the group we made earlier.
Adding a Group to Compliance Policy
Approved Devices group added to the policy
Our group currently has no members in it, so at this point, you will want to add any devices you want to be trusted to the group.
Save the changes to your policy.
The next step is to create a conditional access policy that grants access only to compliant devices.
Note these points before you begin:
- Test this configuration before you roll it out to your entire organization.
- Mobile devices and browsers may not behave as expected; see this example.
- Make sure you don't inadvertently lock yourself out of your own tenant.
- Consider that restricting access to compliant devices may impact your organization if people sign in to services like SharePoint using unmanaged devices.
Switch back to Azure AD and navigate to Security and Conditional Access.
Click to create a new policy.
Create a new conditional access policy
The policy we create here will be for testing our deployment of approved devices. Thus, we will apply it only to a specific user account.
Under Users or workload identities, select Users and groups, and then choose your pilot user.
Apply policy to single user
Select all cloud apps
Policy applies to all cloud apps note the warning displayed
Keep the Conditions blank, and set Access Controls to Grant access and Require device to be marked as compliant.
Grant access to device marked compliant note the warning displayed
Review your policy choices, and ensure that you are not about to lock yourself out.
Set the policy to On and click Create.
Review your new policy and click Create
When your pilot user tries to sign in to Microsoft 365, they will be allowed access if they are on a compliant device. If not, they will be denied access. Depending on the app or browser they use, the message may differ.
As you can see in the screenshot below, despite me signing into portal.office.com and completing an MFA challenge, I am still blocked from accessing resources.
Blocked from accessing resources on noncompliant device
If you switch to Azure AD and navigate to Sign-in logs, you will see a corresponding failure entry.
Subscribe to 4sysops newsletter!
Azure AD sign in log failure entry
Using this method, you can increase the security of your tenant with only a small administrative overhead when onboarding new devices.
