Microsoft Entra, Blog Posts February 23, 2024 0

Block access with Conditional Access for Unmanaged Devices

Today, we will discuss nothing new, but it’s still a topic that remains as relevant and important as ever. If you decide to block users working from unmanaged devices, you can securely mitigate various security risks, such as data leaks and successful phishing attacks.

For example, we see the rise of Man-in-the-Middle (MitM) phishing attacks, which can easily steal your credentials and access tokens and use these to sign in to your account while completely bypassing multi-factor authentication.

Conditional Access can prevent these attacks without relying on phishing-resistant authentication methods such as Hello for Business, FIDO2 hardware keys, or soon Microsoft Authenticator with Passkeys.

However, blocking access for unmanaged devices will likely limit user productivity because users can no longer work from personal or bring-your-own devices, making it unsuitable for some companies. Besides that, you can and should still consider blocking access for users with access to sensitive resources, such as IT administrators, and other highly sensitive user groups, such as Finance, HR, and Management.

In this blog, I’ll guide you through how to block access with Conditional Access for unmanaged devices. The post contains the following sections:

  • Preparation
  • Create Conditional Access policy
  • User Experience
  • Wrap up

Preparation

Creating the conditional access policy itself is not that complicated; the preparation, on the other hand, is what matters most. Let me share some recommendations to prepare you for a smooth implementation.

  1. Ensure all your devices are managed by Microsoft Intune and are compliant with your compliance policies.
  2. Identify groups of users still working from unmanaged devices or on-premises VDI environments. Decide whether to exclude users or IP ranges or move them towards working from Intune-managed virtual devices such as Windows 365 Cloud PCs or Azure Virtual Desktop.
  3. Create one or two emergency access (break glass) accounts because one tiny mistake editing a conditional access or compliance policy can lock you out of your tenant. (read my quick guide here)
  4. Enable Single Sign On (SSO) for third-party browsers such as Google Chrome and Firefox, or accept that users can only sign in from the Microsoft Edge browser. (read my quick guide here)
  5. Disable personal device enrollments to prevent users (or attackers) from enrolling a compliant device themselves (read my quick guide here)
  6. Test and improve your Windows Autopilot setup to prevent users with newly enrolled devices from being blocked, as it can take some time for new devices to become compliant in some scenarios.
  7. Always deploy your conditional access policies in pilots before deploying them to production; it will give you enough time to identify exceptions and the need for exclusions.

Create the Conditional Access policy

Now, the easy part is creating the actual Conditional Access policy. Be aware that there are multiple ways of configuring the policy, such as;

  • Directly blocking unmanaged devices by blocking all unmanaged devices with the device filter condition.
  • Indirectly blocking unmanaged devices by blocking all devices except managed devices with the device filter condition.

The above examples are not wrong, but I prefer to do it by indirectly blocking unmanaged devices by requiring a compliant device. With this method, we are also blocking managed but non-compliant devices. 

Now, let’s create the conditional access policy by following these steps;

  1. Go to the Microsoft Entra admin center and navigate to Protect and SecureConditional Access.
  2. Go to Policies and create a new policy with the below settings.

After configuring the policy, assigning users, and adding exclusions where necessary, we have successfully blocked unmanaged devices with Conditional Access.

User Experience

Lastly, let me show you the user experience from a user perspective. If a user signs in from an unmanaged or non-compliant device, they will be blocked and see the following error message.

If you look at the sign-in logs for the user, you can see that the device was not in the required state and, as a result, got blocked by the conditional access policy.

Wrap up

Blocking unmanaged devices can be very effective but is not always user-friendly. As an alternative to blocking, consider implementing limited access by configuring session policies, app-enforced restrictions, sensitivity labels, or mobile application management.

If you found this blog informative or have any questions, please tell me in the comment section.

This post is part of the unmanaged devices blog series; find more posts here.
View previous part: Limited access with Session Policies for Unmanaged Devices
View next part: First look at Mobile Application Management for Windows

Block access with Conditional Access for Unmanaged Devices

About the author

Myron Helgering:

0 Comments

Would you like to share your thoughts?

Your email address will not be published. Required fields are marked *

Leave a Reply