How to enforce usage of Privileged Access Workstations for Admins

jt-solver : Thanks for your feedback. Indeed purely tagging a device is just a part of the whole solution. It is a means to leverage device filters in Conditional Access. And that's it. But there is of course more to this. It is multi layered. It always comes back to a subject having control over an object (Clean Source Principle). If you have security critical identities and devices you must of course make sure that those entities are administered using identities and devices that have at least the same level of trust. You always want to integrate segregation of duties and identity governance. So, that would mean in the context of Privileged Access Workstations you have to segregate administration of PAW devices and related groups/identities. Also in Microsoft Defender for Endpoints you would have to implement this (Live Response). For groups and identities you could leverage Entra ID "Restricted Management Administrative Units" (or create groups as "role-assignable". Inside Intune you could leverage Intune specific roles and Scope Tags. (keep in mind that Intune roles are ignored if you administer Intune using an Entra ID role like GA or Intune Administrator). So the whole story of segregation of duties is not covered within this article. It is purely focusing on applying device filters and shedding some light on other technologies that one could leverage for their daily admin work. One have to start somewhere, right?