Detections
Analytics

5.2.2.10 (L1) Ensure a managed device is required for authentication

Information

Conditional Access (CA) can be configured to enforce access based on the device's compliance status or whether it is Entra hybrid joined. Collectively this allows CA to classify devices as managed or unmanaged, providing more granular control over authentication policies.

When using Require device to be marked as compliant the device must pass checks configured in Compliance policies defined within Intune (Endpoint Manager). Before these checks can be applied, the device must first be enrolled in Intune MDM.

By selecting Require Microsoft Entra hybrid joined device this means the device must first be synchronized from an on-premises Active Directory to qualify for authentication.

When configured to the recommended state below only one condition needs to be met for the user to authenticate from the device. This functions as an "OR" operator.

The recommended state is:

 - Require device to be marked as compliant
 - Require Microsoft Entra hybrid joined device
 - Require one of the selected controls

"Managed" devices are considered more secure because they often have additional configuration hardening enforced through centralized management such as Intune or Group Policy. These devices are also typically equipped with MDR/EDR, managed patching and alerting systems. As a result, they provide a safer environment for users to authenticate and operate from.

This policy also ensures that attackers must first gain access to a compliant or trusted device before authentication is permitted, reducing the risk posed by compromised account credentials. When combined with other distinct Conditional Access (CA) policies, such as requiring multi-factor authentication, this adds one additional factor before authentication is permitted.

Note: Avoid combining these two settings with other Grant settings in the same policy. In a single policy you can only choose between Require all the selected controls or Require one of the selected controls which limits the ability to integrate this recommendation with others in this benchmark. CA policies function as an "AND" operator across multiple policies. The goal here is to both (Require MFA for all users) AND (Require device to be marked as compliant OR Require Microsoft Entra hybrid joined device).

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To remediate using the UI:

 - Navigate to the Microsoft Entra admin center

https://entra.microsoft.com

.
 - Click expand Protection > Conditional Access select Policies
 - Create a new policy by selecting New policy
 - Under Users include All users
 - Under Target resources include All cloud apps
 - Under Grant select Grant access
 - Check Require multifactor authentication and Require Microsoft Entra hybrid joined device
 - Choose Require one of the selected controls and click Select at the bottom.

 - Under Enable policy set it to Report Only until the organization is ready to enable it.
 - Click Create

Impact:

Unmanaged devices will not be permitted as a valid authenticator. As a result this may require the organization to mature their device enrollment and management. The following devices can be considered managed:

 - Entra hybrid joined from Active Directory
 - Entra joined and enrolled in Intune, with compliance policies
 - Entra registered and enrolled in Intune, with compliances policies

See Also

https://workbench.cisecurity.org/benchmarks/17682

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), 800-53|IA-2(2)

Plugin: microsoft_azure

Control ID: a6e0105acc6090120d8e40bf60908a1f249fcf945bc477a773afab700e83f6ff