Block Access To Microsoft 365 Resources From Unmanaged Windows Device

The modern security perimeter now extends beyond an organization's network to include user and device identity. Organizations can utilize these identity signals as part of their access control decisions.

Conditional Access is the tool used by Azure Active Directory to bring signals together, make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity-driven control plane.

This document explains the configuration steps to create a policy that blocks access to Microsoft 365 resources from unmanaged or Non-Compliant devices.

Block Access to Microsoft 365 Resources from Unmanaged Windows Device

Block Access to Microsoft 365 Resources from Unmanaged Windows Device

  • In the left pane click on Devices & Select “Conditional Access” Under Policy.

Block Access to Microsoft 365 Resources from Unmanaged Windows Device

  • In Conditional Access, Windows, Click on “+ New Policy”

Block Access to Microsoft 365 Resources from Unmanaged Windows Device

  • Specify the Policy Name.
  • Under “Assignments”, Click on “Users and groups”.

Block Access to Microsoft 365 Resources from Unmanaged Windows Device

  • In the right pane, select “Users and groups”.
  • Select the desired users or groups.

Block Access to Microsoft 365 Resources from Unmanaged Windows Device

  • Click on “Cloud apps or actions”.
  • Select “All cloud apps”

Note
If the policy needs to be applied for any specific Microsoft 365 service, we can select “Select Apps” and select the apps from the list.

Block Access to Microsoft 365 Resources from Unmanaged Windows Device

  • Click on “Conditions”
  • Click on “Device Platforms”
  • Click “Yes”
  • Select “Select device platforms”.
  • Select “Windows”.
  • Click Done

    Block Access to Microsoft 365 Resources from Unmanaged Windows Device
     
  • Click on “Grant”
  • Select “Grant access”
  • Select “Require device to be marked as compliant”.
  • Click on “Select”.

    Block Access to Microsoft 365 Resources from Unmanaged Windows Device
     
  • Under Enable policy “Click On”.
  • Click “Create”

    Block Access to Microsoft 365 Resources from Unmanaged Windows Device
     
  • The policy is created successfully.

User Experience

Block Access to Microsoft 365 Resources from Unmanaged Windows Device

Once the user tries to login from an unmanaged or Non-Compliant device, the user receives an error message as above.

“Based on the Browser the error message will vary, but the result will be same”.