Conditional access policies – Block application sign-in in unmanaged devices

This is the first post of a security-centric series, that will try to demonstrate mechanisms and configurations in Azure and Intune, that help administrators secure their environments.

In this post we will create a policy to block sign-in to specific application from unmanaged devices. We will create a conditional access policy in Microsoft Azure to prevent users from logging-in in Microsoft Teams application from devices that are not managed.

Conditional access policies are simple or complex if-then statements e.g. if a user wants to access a resource, then they must complete an action/requirement. They are used to apply the right access controls when needed.

Let’s create a simple conditional access policy that does not allow users to connect to Microsoft Teams application from unmanaged devices.

First we navigate to Azure AD and select Security from the left blade.

After that we choose Conditional Access and Policies and New Policy.

Now click New Policy to initiate the creation process.

As you can see there are many option available here. Let’s explore them one-by-one.

First we have to give our policy a name and assign it to the users that will be applied. The Sales group is selected here and always remember to add a break glass account to restrictive policies (these are accounts that are excluded from specific policies in order to avoid situation where the organization is locked out of their environment) .

Next we have to select the application in which the policy will be applied. As already mention MS Teams will be selected.

We are not going to add any condition here. Conditions are related to sign-in risks, device platform etc.

At the Grant option, we choose “Require device to be marked as compliant” to allow sign-ins in MS Teams only from managed devices.

We will leave the Sessions selection empty.

Before creating the process we are prompted to select if the policy will be enabled, disabled or in report-only mode. The Report-only mode is great for cases where we want to check and monitor the behavior of a policy before applying it in production. Here we will enable the policy by choosing On and apply it to all device platforms.

The policy is now created. Let’s see what is the end-user experience.

The user tries to connect to MS Teams application in a Windows device. The email and credentials are entered and user presses sign-in to connect. A message is prompt that indicates that the connection to the application is prohibited from unmanaged devices, and a message suggesting to the user to enroll the device is shown.


Leave a Reply

Your email address will not be published. Required fields are marked *