This is a pretty cool improvement for Conditional Access, that you as a IT admin can select that your end user need to be on a compliant device to change or setup security information on the user for Azure MFA or Azure AD password reset. Device compliance requires that the device is managed by Intune and have a compliance state that is set to true. There is also other things to test on – location or Hybrid Azure AD joined device it is up to you and your companies security policy to configure the new conditional access rule.
Start your favorite portal for Azure AD management
Go to the Conditional Access blade – create a new a new Conditional Access policy
- Name : Register security information – trusted device
- Click Users and groups
- Select a group for testing – and when you are satisfied with the result you can move to All users
Note: It is a good idea to have your break the glass global admin account in the exclude page.
- Click Cloud apps or actions
- Select User actions
- Click Register security information (preview)
- Under Access controls – Click Grant
- Select Require device to be marked as compliant
Note : If you don’t have any Intune compliant devices then you are not able to verify your security settings on the user and they are not able to login to Azure AD!
You are ready to Enable the policy and test it.
How is the user experience ?
If your users is not enrolled in to MFA or Azure AD password reset when they are logging in to a service that are using Azure AD – an example could be Office 365 then the end user will be promote to setup additional security information.
The end user will also be promote on the interval that is setup in the Azure AD Password reset service.
You will get a message that says “You can’t get there from here” if the device is not compliance.
If you are using a browser that does not having insight into the device compliance status, you need to install the extension or use a browser that supports device compliance status. Otherwise you will get this message
Happy testing 🙂
Nice post. Seems to work well in my pilot group. Especially useful for when we’ve already got 1000 remote PCs out there and want to switch on MFA (using conditional access) shortly.