'Device States' in Conditional Access for both Corporate and Personal Intune managed devices - A retrospect

-
Source:Microsoft

With the help of Microsoft Intune, organizations can use the device states returned from the enrolled devices to Entra ID to identify whether these devices meet specific policy compliance requirements and accordingly enforce controls to grant or block access to corporate resources. With device states, once the user has successfully authenticated, a Primary Refresh Token (PRT) containing both user and device claims is issued. With conditional access policies requiring either a device-based control or a multifactor authentication control in place, the policy requirement can be met through its device state using PRT without attempting MFA. This is because when a PRT requests access to an application, its device, session, and MFA claims are trusted by Microsoft Entra ID. The PRT is valid for 14 days and is continuously renewed as long as the user actively uses the device, providing users a resilient experience.

With the currently available device states, Microsoft recommends the following to be implemented aligning with Zero trust security framework -

1. Enable Microsoft Entra hybrid joined and Microsoft Entra join for company-owned Windows devices and require that they be joined, or be registered at the very least.

2. Standardize user browser access to use either Microsoft Edge or Google Chrome with the Microsoft Single Sign On extension that enable seamless SSO to web applications using the PRT.

3. For personal or company-owned iOS and Android devices, deploy the Microsoft Authenticator App. In addition to MFA and password-less sign-in capabilities, the Microsoft Authenticator app enables single sign-on across native applications through brokered authentication with fewer authentication prompts for end users.

4. For personal or company-owned iOS and Android devices, use mobile application management to securely access company resources with fewer authentication requests.

5. For macOS devices, use the Microsoft Enterprise SSO plug-in for Apple devices (preview) to register the device and provide SSO across browser and native Microsoft Entra applications.

I recently had a requirement of segregating conditional access policies for Intune managed corporate and personal devices. While addressing this requirement and aligning with the necessity of building resiliency with device states, I revisited Conditional Access and decided to leverage device filters to achieve this.

The filter for devices condition in Conditional Access evaluates policy based on device attributes of a registered device in Microsoft Entra ID. These can used for targeting or excluding specific devices by using attributes available within the device filters. However and as at the time of writing this blog, Microsoft Entra ID uses device authentication to evaluate device filter rules. Therefore for a device that is unregistered with Microsoft Entra ID, all device properties are considered as null values and the device attributes cannot be determined since the device does not exist in the directory.

Attributes currently available -



Source: Microsoft

Creating the Conditional Access policies using device filters and device states for Corporate and Personal devices

1. Sign in to the Microsoft Entra admin center.
2. Browse to Protection > Conditional Access > Policies and select New policy.
3. Give your policy a name.
4. Under Assignments, select Users or workload identities.
5. Under Target resources > Cloud apps > Include > Select All Cloud apps, or as required.
6. Under Conditions> Filter for devices> Include> Use deviceOwnership and set the value as shown below.

For Corporate\Company devices


For Personal devices


7. Under Access controls > Grant, select Grant access as shown below.

For Corporate devices, I am checking for the compliance state.


For Personal devices, I am checking for MFA OR App Protection Policy (APP)



8. Confirm your settings and set Enable policy to On.
9. Select Create to create to enable your policy.

Policies in action

I tested the policies on both corporate and personal devices to see if the relevant conditional access policies applied or not.

Corporate device Entra ID - 03abbb47-7fa9-481c-a011-fc0b15a9a212


CA007: Require Compliant for Corporate Devices - Applied


CA008: Require Strong MFA OR APP on Personal Devices - Not Applied


Personal device Entra ID - f0c64a30-e6a2-4a93-a3a7-84d8e1796d75

CA007: Require Compliant for Corporate Devices - Not Applied


CA008: Require Strong MFA OR APP on Personal Devices - Applied


That's it for now. Thank you for reading. Hope the above scenario helped in understanding on building resilience with device states for both corporate and personal devices. Until next time..

Comments

  1. AnonymousOctober 7, 2024 at 10:51 AM

    A better filter for personal devices is "device.deviceOwnership -ne "Company"", that way you'll catch unregistered devices as well (if that's your goal of course).

    ReplyDelete
    Replies
    1. Rahul JindalOctober 10, 2024 at 3:05 PM

      Thanks for sharing. Yes, certainly an option if the end goal is to catch all unregistered devices like you said. However, in this blog the use case is for managed devices only.

      Delete

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Prevent users from running certain programs or applications on Windows endpoints using Intune

-
Image
  When it comes to blocking or preventing users from running an application on Windows devices, one normally uses App locker policy, Windows Defender Application Control and not so new but pretty useful method called Defender Vulnerability management within Microsoft 365 Defender Portal. A recent question on the Tech Community Microsoft forum prompted me to look for all possible alternatives. I started reminiscing over the legacy GPO policies and that is when I stumbled upon the policy  Don’t run specified Windows applications  located under User Administrative Templates - The policy setting does come with its own caveat - " This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting pr
Read more