Managed Devices Not Required for Authentication

By default, Microsoft Entra ID allows authentication from any device, which can lead to unauthorized access and breaches, especially if the device is compromised, non-compliant, or controlled by an attacker.

The zero trust model dictates that authentication should depend on the device's status, allowing access only from devices compliant with the organization's security policies and managed by the organization.

The MS.AAD.3.7v1 policy from the CISA "M365 Secure Configuration Baseline for Microsoft Entra ID," mandated by BOD 25-01, requires that "Managed devices SHOULD be required for authentication." Following CISA guidance, this IoE ensures at least one Conditional Access Policy includes the following settings:

• "Users" set to include "All users".
• "Target resources" set to "All resources".
• "Grant" set to "Grant access" with "Require device to be marked as compliant" and "Require Microsoft Entra hybrid joined device" options selected, with "Require one of the selected controls" selected at the bottom.
• "Enable policy" set to "On" (not "Off" or "Report-only").

If you follow Microsoft's recommendation, this IoE ensures that at least one Conditional Access Policy includes the same settings, with the addition of "Require multifactor authentication," meaning:

• "Grant" set to "Grant access" with "Require multifactor authentication", "Require device to be marked as compliant" and "Require Microsoft Entra hybrid joined device" options selected, with "Require one of the selected controls" selected at the bottom.

An enabled Conditional Access Policy (CAP) must exist for the tenant to block authentication from unmanaged devices.

CISA and Microsoft have differing opinions on how to prevent this risk:

• The MS.AAD.3.7v1 policy from the CISA "M365 Secure Configuration Baseline for Microsoft Entra ID", mandated by BOD 25-01, only accepts compliant or hybrid joined devices.
• In contrast, Microsoft also accepts multifactor authentications.

Tenable recommends following the CISA guidance for the safest approach. However, since it is also the most restrictive, you can easily switch to the Microsoft recommendation using the provided option in the IoE.

To do this, you can create a CAP as follows:

• Modify an existing CAP by applying the settings specified in this IoE's description.
• Create a dedicated CAP and configure it according to the specifications in the IoE's description.

If you follow the Microsoft recommendation, you can use the "Require compliant or hybrid Azure AD joined device or multifactor authentication for all users" CAP template. This template meets all the IoE criteria when you enable the Microsoft recommendation option. Alternatively, the "Require compliant device or Microsoft Entra hybrid joined device for administrators" template is less restrictive, targeting only administrators, but it will not meet any IoE criteria.

Note: the "Require device to be marked as compliant" grant control requires that your organization uses the Intune MDM.

Caution: Both Microsoft and Tenable recommend that you exclude certain accounts from Conditional Access policies to prevent tenant-wide account lockout and undesired side effects. Tenable also recommends that you follow the Microsoft documentation "Plan a Conditional Access deployment" to ensure proper planning and change management, as well as mitigate the risk of locking yourself out. In particular, if you use hybrid identity solutions like Microsoft Entra Connect or Microsoft Entra Cloud Sync, you must exclude their service account from the policy because it cannot comply with it. Use the "Exclude users" action and either exclude the service account(s) directly, or check the "Directory roles" option and select the "Directory Synchronization Accounts" role.

Name: Managed Devices Not Required for Authentication

Codename: MANAGED-DEVICES-NOT-REQUIRED-FOR-AUTHENTICATION

Severity: Medium

Type: Microsoft Entra ID Indicator of Exposure