How to use Device based Conditional Access in Microsoft Entra ID

I wrote an article last week about the conditional access in Entra ID ,how to create access policies and enable it in report only mode or normal. 

Today I would like to explain how to hardening the access policies in Conditional access with the Device based filtering.

 Let' see the following scenario that will use to hardening the Admin Portal Access.

Scenario

We find out that the Microsoft 365 Admin Center is accessible from all the users in IT Department and from all the devices as well.

We would like to allow the access only to Windows Devices and deny to any other device to have access in Microsoft 365 Admin Center.

We will use the Condition of Device Platform which Conditional access can identify the device platform by using information provided by the device like user agent string.

Let's see how we can achieve it !!

Note: Sometimes there are a small differences in the Azure Portal Menu.

 

  • Login to the Microsoft 365 Admin Center.
  • Click on the Identity.
  • From the left side menu click on the Protection -- Identity Protection -- Conditional Access.
  • Click on New Policy.
Conditional Access Policy New Policy

 

  • Type the name for the new policy.
  • Select the Users or Groups that you want to assign the specific Conditional Access Policy.
Conditional Access Policy - Select User

 

  • Click on the Target resources. Select the Select apps.
Conditional Access Policy - Target Resources

 

  • Click on Select and check the Microsoft Admin Portals. Click Select.
Conditional Access Policy - Target Resources

 

  • Leave the Network as it.
  • The interesting option is the Conditions. Click on it.
  • Click on the Device Platforms.
Conditional Access Policy - Target Resources

 

  • In the Configure verify that the selection is Yes.
  • In the Include select the Any Device.
Conditional Access Policy - Target Resources

 

  • In the Exclude tick the Windows. Click Done.
Conditional Access Policy - Target Resources

 

  • Continue with the Access Control. Click Block Access.
Conditional Access Policy - Block Access

 

  • In the Enable Policy verify that the selection is Report-only to test it first.
Conditional Access Policy - Report Only mode Policy

 

  • Now try to login in Microsoft 365 Admin Center from your mobile or other device that it's not Windows.
  • You will login without problem because the Conditional Access Policy is in Report-only mode.
  • You can verify if the Policy it's working from the Sign in Logs.
  • In the Microsoft Entra ID click on the All Users.
  • In the search field type the user name.
Microsoft Entra Id - Sign-in Logs

 

  • When you will find it click on the user.
  • Click on the Sign-in Logs.
  • Normally you should see logs with Status Failure as the following.
Microsoft Entra Id - Sign-in Logs

 

  • Open specific log to verify that the Failure reason is from the Conditional Access policy.
Microsoft Entra Id - Sign-in Logs

 

  • Now that we verified that the the Conditional Access Policy working with the Device based condition you can edit it and change the Enable from Report only to On.
Conditional Access Policy - Enable Policy

 

  • If you try now to login in Microsoft Admin Center from a non Windows Device you will get an error like the following.

 

You can increase the security in high important resources as the Microsoft 365 Admin Portal with the Device based conditional access policy.

It's not so difficult and you don't need lot of time.