Forum Discussion
Restrict some devices
Hi All
I hope you are well.
Anyway, I'm looking for some advice.
We have identified some Intune enrolled, Entra ID joined devices that may be security risks (malware) and would like to restrict these devices from accessing things like M365 apps, Azure VPN etc etc.
What's the best way to achieve this? Conditional Access and target a group with the devices as members?
Info appreciated
5 Replies
Are these devices enrolled in Defender for Endpoint? If yes, then you can configure the compliance policy in Intune to look at MDE risk score and then leverage this as into a conditional access policy looking at device compliance as a grant control. If you are using a non-Microsoft security solution, then you can still use the compliance policy, but it may require a bit of scripting to pull the desired status of the device in form a custom compliance policy. Alternatively, if you have list of devices already identified, then you can block access to them using conditional access device filters.
Using Defender together with the Risk Score looks like a solid solution.
The Custom Compliance Policy you mentioned also seems useful — but do you know if it still works when combined with a Custom Extension Attribute that's based on a Conditional Access (CA) filter?From my understanding, the device would need to be marked as compliant at the time when the attribute is created, correct?
That said, it looks like the Stuarts´s company is using an endpoint protection solution other than Defender, which might still fit into this scenario.
My question is: how would you approach this? Would you try to capture the required signals via a script (for example by checking logs or client version)? Normally, the AV solution itself should be capable of quarantining or blocking malware.
I think it would be helpful if StuartK73 could provide us with some additional input on this.
Good luck!
Hi Buddy
Unfortunately, these devices are not yet enrolled in Defender for Endpoint, I am and have been pressing for this for a while now.
Could you elaborate on "Alternatively, if you have list of devices already identified, then you can block access to them using conditional access device filters. "
I'm struggling to get my head around the Include filtered devices in the policy / Exclude filtered devices from the policy.
Let say we do
CA Policy - Filtered Devices
All users
All resources
Access = BLOCK
Include filtered devices in the policy
Property Operator Value
DeviceID Equals Device ID from Intune
Does that policy work out as any user accessing any cloud resource on a deviceID is blocked?
SK
Hey. Yes, pretty much any user (provided you select all users in the CA) that tries to access the cloud resources you define in the CA, will be blocked when you select the grant control as blocked.
Hi
I believe the best approach is to isolate the components and assess the potential risks or escalation paths. In the meantime, you could explore whether Conditional Access would be suitable by using the 'What if' tool under CA Policies. Alternatively, you might consider applying a CA policy in 'Report-only' mode to evaluate its impact without enforcing it.
Good luck!
