Allowing users to access resources from any device is the equivalent of an airline company like United saying, “you know what, we are just going to let our pilots fly any plane they want. We don’t know if it is up to code. We don’t really know who is on the plane but they can still access our United resources.” Would you get on that plane? As the CEO of United would you be comfortable with that? I don’t know too many people that would say yes.
By default in Microsoft 365, users can access their corporate data from:
If this makes you uneasy, it should, given this presents us with a significant amount of risk. In a previous article, I discussed how you can secure access on BYOD/personal devices and the importance of educating your customers why managed devices should be the only method of accessing corporate resources. In today’s article, I am going to walk you through the exact policy you need to configure in your Microsoft environment to allow for only approved device access.
So like I mentioned previously, we want to channel our customers into using only approved managed devices. Today we are going to walk through the first recommended policy for secure device access which is requiring a managed and/or compliant device.
By default users can really login on any device. That device could have active malware, it could be a device that owned from an attacker that recently compromised a user and get their credentials or performed some type of token theft.
In a previous article on persistence techniques, I also showed one of the common actions attackers take in the attack kill chain after initial compromise is joining a device to your network to maintain persistence and effectively hide. These are all reasons we want to enforce a strong policy for device access.
When thinking about a layered approach to security, you will have varying states of maturity with the customers you manage. There are tiers or levels you can step into for policies you enforce based on where the customer is at today.
When you onboard a customer, within the first 90 days, you want to enforce a policy that requires managed devices to used signing in. We do this leveraging the device registration type in Microsoft 365. We want our devices to either be Entra Joined or Entra Hybrid Joined if they still have local active directory.
How to Configure
Layer 2 protections require more maturity and take this a step further. They require that:
They step up our protections because they also require that managed devices are in a “compliant” (i.e. “healthy”) state. You device what makes a device compliant within the policy you create in Intune but at a high level we are asking questions like:
And more. It requires a higher level of maturity given you have to:
How to Configure
(Prerequisite is creating and enforcing a device compliance policy)
Ok, I highly encourage you to go enforce at least the Layer 1 conditional access policy I showed here to start locking down your environment. Stay tuned as we cover the next recommended policy I have for secure device access.