Requiring a managed device to access Microsoft 365 services (or generally any apps/services integrated with Microsoft Entra ID) is a very effective method of phishing protection.

This is because in such a case it is not enough for a threat actor to obtain, for example, login credentials through phishing. It is not even enough to somehow obtain or bypass MFA. In such a case, the threat actor would also have to have a managed device from the organization’s tenant. Which should be unrealistic to obtain.

Thus, requiring access from a managed device is a very effective and powerful method of protecting corporate identity. And yet it shouldn’t be too complicated to deploy, since corporate devices should be managed anyway.

Creating Conditional Access policy to require compliant device for application access

Go to Microsoft Entra ID – Security – Conditional Access – Policies and create a new conditional access policy. The policy should definitely target all users, it’s just a good idea to remove the break-glass account from the policy.

For applications, it depends if you are targeting just Microsoft 365 services or all services and applications integrated with Microsoft Entra ID. I definitely recommend targeting all apps and services, otherwise you’re leaving potential gap for a threat actor.

In Conditions, you can select the platforms you are targeting. I usually recommend creating two policies – one for desktop platforms (usually Windows and macOS) and one for mobile platforms (Android and iOS). However, you can leave the platforms unconfigured and therefore target all platforms in one policy.

The important thing is the settings that determine which applications are targeted by the policy. You can target even the web browser. This is the optimal state so that access from a managed device is always required at all times. However, I only want to target mobile and desktop applications in this policy.

The last thing to set is to force the use of the managed device for the scenario defined above. Open Grant and verify that Grant access is checked. Select Require device to be marked as compliant from the menu below.

End user experience when requiring compliant device

If users are working from a managed (compliant) device, they won’t notice anything.

If users are not working from a managed (compliant) device, they will be prompted to enroll their device in Microsoft Intune. A wizard guides them through the entire process, so even a casual end user should be able to handle this on their own.