Device-based conditional access

Posted on 26 May 2017

In a previous article we took a general look at the importance of conditional access and what it applies to. In this article we are going to take a deeper look into device-based conditional access: how you can restrict access to applications from devices that are registered with Azure AD and which meet specific conditions.

Device-based conditional access will protect your resources from users who attempt to access these resources from:

  • Unknown or unmanaged devices
  • Devices that don’t meet your security policies

What policies can you set for device-based conditional access?

You can set policies based on the following requirements:

  • Domain-joined devices – With this, you can set a policy that will restrict access to devices that are joined to an on-premises Active Directory domain and are also registered with Azure AD. This policy applies to Windows desktops, laptops, and enterprise tablets.
  • Compliant devices – This allows you to set a policy to restrict access to devices that are marked compliant in the management system directory. This policy ensures that only devices that meet security policies such as enforcing file encryption on a device are allowed access. You can use this policy to restrict access from the following devices:
    • Windows domain-joined devices – Managed by System Center Configuration Manager (in the current branch) deployed in a hybrid configuration.
    • Windows 10 Mobile work or personal devices – Managed by Intune or by a supported third-party mobile device management system.
    • iOS and Android devices – Managed by Intune.

Users who access applications that are protected by a device-based, certification authority policy must access the application from a device that meets this policy’s requirements. Access is denied if it is attempted on a device that doesn’t meet policy requirements.

If you would like to find out more about how device-based conditional access can help your organisation protects its data, please contact us.

A few people we've already done it for