Ensuring the security of Office 365 is critical, especially in a world where cyber threats are constantly evolving. While multi-factor authentication (MFA) and strong passwords add layers of protection, attackers continue to find ways around them. One of the best ways to tighten security is by restricting access to Office 365 based on specific devices. This can be achieved using Conditional Access Policies in Microsoft Entra (formerly Azure AD).
Watch the video walkthrough on Loom
In this guide, we'll walk through setting up Conditional Access Policies to lock down Office 365 so that only approved devices can access your Microsoft resources.
Step 1: Creating a Conditional Access Policy
- Navigate to Conditional Access: Go to Microsoft Entra Admin Center and open Conditional Access. Under Policies, create a new policy.
- Set Policy Conditions: Name the policy something relevant, like "Device Restriction." Include all users, but exclude break-glass accounts to avoid locking yourself out. Set the policy to block access to all cloud apps to ensure unauthorized devices cannot connect.
Step 2: Configuring Device-Based Access
To allow only authorized devices, we need to add a device-based condition:
- Filter for Devices: Under conditions, navigate to Device filters. Change the setting from Include to Exclude. Set the filter to Device ID and use the equals condition.
- Finding Device IDs: Go to the Intune Portal to find device IDs. This policy applies to Windows, Mac, and mobile devices. Windows devices should be Azure AD Joined, Entra Joined, or Intune Joined. For iPhones and Android devices, users must enroll via the Company Portal app.
- Add Device IDs: Locate the Microsoft Entra Device ID under hardware properties. Copy and paste the Device ID into the policy (be sure to remove any extra spaces). If you have multiple approved devices, add them using OR conditions.
Step 3: Testing the Policy
- Attempt to Log in from an Unauthorized Device: If configured correctly, access to Office 365 will be blocked.
- Allow Access for Approved Devices: Once a device's ID is added to the policy, users on that device should be able to log in without issues.
- Policy Activation Time: Conditional Access Policies can take anywhere from a few minutes to 20 minutes to fully apply.
Step 4: Handling New Devices
By default, any new device trying to connect will be blocked. There are a couple of ways to onboard new devices:
- Temporary Workarounds (Use with Caution): You could set the policy to Report-Only Mode, but this is not recommended for security reasons.
- Using IP-Based Exclusions: Create an IP Exclusion Policy to allow new devices to enroll from trusted locations. Navigate to Named Locations in Conditional Access. Add corporate static IPs or SASE IPs. As long as a new device is connected to an approved IP, it can be enrolled before adding its Device ID to the policy.
Final Thoughts
Zero Trust security is a must in today's IT landscape. However, Microsoft's default setup allows all devices to connect until restrictions are manually configured. By implementing device-based Conditional Access Policies, you ensure that only authorized devices can access your organization's Microsoft resources.
With this approach, even if credentials are stolen, unauthorized devices will be unable to access sensitive data—further strengthening your overall cybersecurity posture.
If you're looking for more guidance on securing your Microsoft environment, feel free to reach out to us!
