Forum Discussion

MyronHelgering's avatar
MyronHelgering
Brass Contributor
Feb 23, 2024

Block access with Conditional Access for Unmanaged Devices

Today, we will discuss nothing new, but it’s still a topic that remains as relevant and important as ever. If you decide to block users working from unmanaged devices, you can securely mitigate vario...
Azure Active Directory (AAD)
Conditional Access
device management
Joe Stocker's avatar
Joe Stocker
Bronze Contributor
Feb 25, 2024

MyronHelgering I agree 100% with your recommendation to use the CA Grant Control to require  Intune Compliance as an effective means of blocking Attacker in the Middle.

However, readers need to be aware that unless you follow this up with restricting BYOD enrollment, then attackers can enroll their device into Entra, and if Auto MDM Join is enabled, they can have a compliant device to bypass this policy. I wrote about this here: https://thecloudtechnologist.com/2022/01/27/how-to-use-intune-device-enrollment-restrictions-to-block-second-wave-phishing/

  • MyronHel's avatar
    MyronHel
    Copper Contributor
    Feb 25, 2024

    Thanks Joe Stocker !

    Good point also on the enrollment, but did you notice that I already included this advice in my post? Look at the preparation section were I linked a quick guide to disable personal device enrollment.

Resources