Block Access To Microsoft 365 Resources From Unmanaged Windows Device

The modern security perimeter now extends beyond an organization's network to include user and device identity. Organizations can utilize these identity signals as part of their access control decisions.

Conditional Access is the tool used by Azure Active Directory to bring signals together, make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity-driven control plane.

This document explains the configuration steps to create a policy that blocks access to Microsoft 365 resources from unmanaged or Non-Compliant devices.

• Login to Microsoft Endpoint Manager admin center

• In the left pane click on Devices & Select “Conditional Access” Under Policy.

• In Conditional Access, Windows, Click on “+ New Policy”

• Specify the Policy Name.
• Under “Assignments”, Click on “Users and groups”.

• In the right pane, select “Users and groups”.
• Select the desired users or groups.

• Click on “Cloud apps or actions”.
• Select “All cloud apps”

Note
If the policy needs to be applied for any specific Microsoft 365 service, we can select “Select Apps” and select the apps from the list.

• Click on “Conditions”
• Click on “Device Platforms”
• Click “Yes”
• Select “Select device platforms”.
• Select “Windows”.
• Click Done
  
  
   
• Click on “Grant”
• Select “Grant access”
• Select “Require device to be marked as compliant”.
• Click on “Select”.
  
  
   
• Under Enable policy “Click On”.
• Click “Create”
  
  
   
• The policy is created successfully.

User Experience

Once the user tries to login from an unmanaged or Non-Compliant device, the user receives an error message as above.

“Based on the Browser the error message will vary, but the result will be same”.