Microsoft Entra, Blog Posts February 23, 2024 7

Block access with Conditional Access for Unmanaged Devices

Today, we will discuss nothing new, but it’s still a topic that remains as relevant and important as ever. If you decide to block users working from unmanaged devices, you can securely mitigate various security risks, such as data leaks and successful phishing attacks.

For example, we see the rise of Man-in-the-Middle (MitM) phishing attacks, which can easily steal your credentials and access tokens and use these to sign in to your account while completely bypassing multi-factor authentication.

Conditional Access can prevent these attacks without relying on phishing-resistant authentication methods such as Hello for Business, FIDO2 hardware keys, or soon Microsoft Authenticator with Passkeys.

However, blocking access for unmanaged devices will likely limit user productivity because users can no longer work from personal or bring-your-own devices, making it unsuitable for some companies. Besides that, you can and should still consider blocking access for users with access to sensitive resources, such as IT administrators, and other highly sensitive user groups, such as Finance, HR, and Management.

In this blog, I’ll guide you through how to block access with Conditional Access for unmanaged devices. The post contains the following sections:

  • Preparation
  • Create Conditional Access policy
  • User Experience
  • Wrap up

Preparation

Creating the conditional access policy itself is not that complicated; the preparation, on the other hand, is what matters most. Let me share some recommendations to prepare you for a smooth implementation.

  1. Ensure all your devices are managed by Microsoft Intune and are compliant with your compliance policies.
  2. Identify groups of users still working from unmanaged devices or on-premises VDI environments. Decide whether to exclude users or IP ranges or move them towards working from Intune-managed virtual devices such as Windows 365 Cloud PCs or Azure Virtual Desktop.
  3. Create one or two emergency access (break glass) accounts because one tiny mistake editing a conditional access or compliance policy can lock you out of your tenant. (read my quick guide here)
  4. Enable Single Sign On (SSO) for third-party browsers such as Google Chrome and Firefox, or accept that users can only sign in from the Microsoft Edge browser. (read my quick guide here)
  5. Disable personal device enrollments to prevent users (or attackers) from enrolling a compliant device themselves (read my quick guide here)
  6. Test and improve your Windows Autopilot setup to prevent users with newly enrolled devices from being blocked, as it can take some time for new devices to become compliant in some scenarios.
  7. Always deploy your conditional access policies in pilots before deploying them to production; it will give you enough time to identify exceptions and the need for exclusions.

Create the Conditional Access policy

Now, the easy part is creating the actual Conditional Access policy. Be aware that there are multiple ways of configuring the policy, such as;

  • Directly blocking unmanaged devices by blocking all unmanaged devices with the device filter condition.
  • Indirectly blocking unmanaged devices by blocking all devices except managed devices with the device filter condition.

The above examples are not wrong, but I prefer to do it by indirectly blocking unmanaged devices by requiring a compliant device. With this method, we are also blocking managed but non-compliant devices. 

Now, let’s create the conditional access policy by following these steps;

  1. Go to the Microsoft Entra admin center and navigate to Protect and SecureConditional Access.
  2. Go to Policies and create a new policy with the below settings.

After configuring the policy, assigning users, and adding exclusions where necessary, we have successfully blocked unmanaged devices with Conditional Access.

User Experience

Lastly, let me show you the user experience from a user perspective. If a user signs in from an unmanaged or non-compliant device, they will be blocked and see the following error message.

If you look at the sign-in logs for the user, you can see that the device was not in the required state and, as a result, got blocked by the conditional access policy.

Wrap up

Blocking unmanaged devices can be very effective but is not always user-friendly. As an alternative to blocking, consider implementing limited access by configuring session policies, app-enforced restrictions, sensitivity labels, or mobile application management.

If you found this blog informative or have any questions, please tell me in the comment section.

This post is part of the unmanaged devices blog series; find more posts here.
View previous part: Limited access with Session Policies for Unmanaged Devices
View next part: First look at Mobile Application Management for Windows

Block access with Conditional Access for Unmanaged Devices

About the author

Myron Helgering:

7 Comments

  1. Steven P

    June 7, 2024
    Reply

    Hi Myron,

    I'm very grateful with your blog. I'm newbie in this environment abd ut helps me a lot :)

    I would like to ask you If it's possible create one conditional access policy for unmanaged devices, but granting access with recurrent MFA (every login) instead of block.

    Thank you so much.
    Regards.

    • Myron Helgering

      June 7, 2024
      Reply

      Hi Steven, you can use the Session control > Sign-in Frequency "Every time" and the Grant control > Require Multi-Factor Authentication in your policy.

      Next, you'll need to use the Condition > Filter for Devices and use the TrustType (or DeviceOwnership or isCompliant) property to Exclude corporate devices.

      Hope that helps! Good luck! I have a new blog post on recommended CA policies for unmanaged devices, but it might not be up for a while.

      • Steven P

        June 11, 2024
        Reply

        Hi Myron,

        Thank you very much for your reply.

        Yes, what you've indicated is useful for me to set up such a policy.

        I will keep an eye on your blog for the post :)

  2. Hakan

    July 31, 2024
    Reply

    Hi,

    We tried this to block the MIcrosoft Office 365 Planner app within Microsoft Teams. But this does not work. It is possible to block with Session Policies of MCAS, but only for websites not for the in app Planner in MS Teams...

    Do you have any tips?

    • Myron Helgering

      August 12, 2024
      Reply

      Uhm, that's odd behavior. I think your only option then is to include the Teams app for unmanaged devices in your conditional access policy.
      You can also block the Planner app itself from the Microsoft Team admin center, but it will block access for all device types (not just unmanaged ones.)
      https://learn.microsoft.com/en-US/microsoftteams/manage-apps

  3. Christopher

    August 5, 2024
    Reply

    Hi Myron,

    Thanks for your post and blog.

    I have one question for you. I want to block all access to 365 apps on my employees' personal laptops. I have created a CA block policy targeting devices by OS, checking the boxes for MacOS, Windows, and Linux. It seems to work -- should be achieve what I'm looking for?

    Many thanks.
    Christopher

    • Myron Helgering

      August 12, 2024
      Reply

      Did you target the browser and client apps?
      If you've achieved your goal, then definitely yes!
      One thing you could change is to include all operating systems and exclude the ones you don't want to be included.
      This way, you will automatically target users (or attackers) that work from "Unknown or spoofed device platforms."

Would you like to share your thoughts?

Your email address will not be published. Required fields are marked *

Leave a Reply