DV-02CriticalEnhanced Security

Require Compliant Devices for Global Admins

Conditional Access control for Microsoft 365 and Entra ID

Why This Control Matters

Admin credentials on non-compliant devices are at high risk. Keyloggers, malware, and credential theft are common on unmanaged devices. Requiring compliance ensures admin actions occur from secured endpoints.

Expected State

When this control is compliant, your tenant should meet these criteria:

1All Global Administrator sign-ins require compliant devices
2Devices are enrolled in Intune with compliance policies
3Non-compliant devices cannot access admin portals

Enforcement

Default Mode

Advisory

Alerts on deviations but does not make changes

Auto-Remediation

Available

Creates Conditional Access policy requiring device compliance for Global Admin role

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.