Forum Discussion
Block access with Conditional Access for Unmanaged Devices
Today, we will discuss nothing new, but it’s still a topic that remains as relevant and important as ever. If you decide to block users working from unmanaged devices, you can securely mitigate various security risks, such as data leaks and successful phishing attacks.
For example, we see the rise of Man-in-the-Middle (MitM) phishing attacks, which can easily steal your credentials and access tokens and use these to sign in to your account while completely bypassing multi-factor authentication.
Conditional Access can prevent these attacks without relying on phishing-resistant authentication methods such as Hello for Business, FIDO2 hardware keys, or soon Microsoft Authenticator with Passkeys.
In this blog, I’ll share seven recommendations to prepare you for a smooth implementation, look at the user experience, and show you how to block access with Conditional Access for Unmanaged devices.
https://myronhelgering.com/block-access-with-conditional-access-for-unmanaged-devices/
3 Replies
MyronHelgering I agree 100% with your recommendation to use the CA Grant Control to require Intune Compliance as an effective means of blocking Attacker in the Middle.
However, readers need to be aware that unless you follow this up with restricting BYOD enrollment, then attackers can enroll their device into Entra, and if Auto MDM Join is enabled, they can have a compliant device to bypass this policy. I wrote about this here: https://thecloudtechnologist.com/2022/01/27/how-to-use-intune-device-enrollment-restrictions-to-block-second-wave-phishing/
Thanks Joe Stocker !
Good point also on the enrollment, but did you notice that I already included this advice in my post? Look at the preparation section were I linked a quick guide to disable personal device enrollment.
