DV-01: Require Compliant Devices for Admin Access
Overview
This guide walks you through creating a Conditional Access policy that requires administrators to sign in from compliant or Microsoft Entra hybrid-joined devices when reaching admin portals. Only managed, healthy devices you control can perform privileged operations; unmanaged personal devices are blocked. Enrolling devices in Intune and configuring compliance policies is the prerequisite that this control builds on.
Control ID: DV-01 Category: Device Trust Baseline Level: Level 2 (Enhanced Security) Severity: High License Required: Microsoft Entra ID P1 (for Conditional Access) + Microsoft Intune (for compliance)
Why This Matters
A compromised or unmanaged device can have keyloggers, malware, or screen capture tools. Requiring managed, compliant devices for admin access ensures that privileged actions occur from endpoints you control and monitor.
Expected State
- A Conditional Access policy requires compliant or Entra hybrid-joined devices for admin portals
- Policy targets the Microsoft Admin Portals app (or specific admin URLs)
- Unmanaged personal devices cannot access admin functions
Prerequisites
Required Roles
- Conditional Access Administrator (recommended - least privilege) or Global Administrator to create the policy
- Intune Administrator to confirm or create device compliance policies
Required Licenses
- Microsoft Entra ID P1 or higher (required for Conditional Access and device conditions)
- Microsoft Intune (required to enroll devices and evaluate compliance)
- Included in: Microsoft 365 Business Premium, E3, E5, or EMS E3/E5
Pre-Configuration Requirements (Intune is the prerequisite)
Before creating the Conditional Access policy, the device management foundation must exist:
- Intune is set up and admins' devices are enrolled (MDM enrollment or co-management)
- Device compliance policies exist and are assigned (see the prerequisite steps below)
- Admin devices report as compliant in the Intune admin center
- Emergency access accounts are identified so they can be excluded from the policy
Time Estimate
| Task | Duration |
|---|---|
| Prerequisite: confirm/create compliance policies | 30-60 minutes (skip if already done) |
| Create the Conditional Access policy | 15-20 minutes |
| Report-only testing | 2-3 days |
| Full enablement | 10 minutes |
| Total | 1-3 days including testing |
Step-by-Step Instructions
Prerequisite: Ensure Device Compliance Policies Exist
Conditional Access can only require "compliant device" if compliance policies are defining what compliant means. If you have already deployed compliance policies, skip to Step 1.
- Sign in to the Microsoft Intune admin center
- Navigate to Devices > Compliance > Policies
- Confirm a policy exists for each platform your admins use (Windows, macOS, iOS, Android)
- If none exist, click + Create policy, select the platform, and configure a baseline (for example, for Windows: require BitLocker, Secure Boot, code integrity, a password, and Microsoft Defender real-time protection), then assign it to your admin device group
- Under Devices > Compliance > Compliance policy settings, set Mark devices with no compliance policy assigned as to Not compliant
- Verify your admin devices show Compliant under Devices > All devices
This is the prerequisite. The control itself is the Conditional Access policy in the steps below.
Step 1: Navigate to Conditional Access
- Sign in to the Microsoft Entra admin center
- Navigate to Protection > Conditional Access
- Click Policies
Step 2: Create the Admin Access Policy
- Click + New policy
- Enter a name:
Require Compliant Device for Admin Access
Step 3: Configure Users
- Under Assignments, click Users
- Select Include > Select users and groups > Directory roles
- Select the administrative roles that should require a managed device, for example:
- Global Administrator
- Privileged Role Administrator
- Security Administrator
- Exchange Administrator
- SharePoint Administrator
- User Administrator
- Intune Administrator
- Conditional Access Administrator
- Application Administrator
- Under Exclude, add your emergency access (break-glass) accounts
Important: Always exclude emergency access accounts so a device or Intune outage cannot lock every admin out.
Step 4: Configure Target Resources
- Under Target resources, click Cloud apps (or Target resources)
- Select Include > Select apps
- Select Microsoft Admin Portals
The Microsoft Admin Portals app covers the Entra admin center, Microsoft 365 admin center, Intune, Azure portal, and other admin consoles in one resource.
Alternative (broader): Select All cloud apps if you want every resource, not just admin portals, to require a compliant device for these admin roles.
Step 5: Configure Access Controls
- Under Access controls, click Grant
- Select Grant access
- Check Require device to be marked as compliant
- Also check Require Microsoft Entra hybrid joined device if you use hybrid-joined endpoints
- If you selected both, choose Require one of the selected controls
- Click Select
Step 6: Test in Report-Only, Then Enable
- Under Enable policy, select Report-only
- Click Create
- Monitor for 2-3 days under Protection > Conditional Access > Insights and reporting and in Sign-in logs (Conditional Access tab)
- Confirm admin sign-ins from compliant devices would be allowed and unmanaged devices would be blocked
- Edit the policy and change Enable policy to On
PowerShell Configuration
Create the Admin Access Policy via Graph API
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess", "Directory.Read.All"
# Break-glass accounts to exclude
$breakGlass1 = Get-MgUser -Filter "userPrincipalName eq 'BreakGlass1@contoso.onmicrosoft.com'"
$breakGlass2 = Get-MgUser -Filter "userPrincipalName eq 'BreakGlass2@contoso.onmicrosoft.com'"
$policyParams = @{
displayName = "Require Compliant Device for Admin Access"
state = "enabledForReportingButNotEnforced"
conditions = @{
users = @{
includeRoles = @(
"62e90394-69f5-4237-9190-012177145e10" # Global Administrator
"e8611ab8-c189-46e8-94e1-60213ab1f814" # Privileged Role Administrator
"194ae4cb-b126-40b2-bd5b-6091b380977d" # Security Administrator
"29232cdf-9323-42fd-ade2-1d097af3e4de" # Exchange Administrator
"f28a1f50-f6e7-4571-818b-6a12f2af6b6c" # SharePoint Administrator
"3a2c62db-5318-420d-8d74-23affee5d9d5" # Intune Administrator
)
excludeUsers = @($breakGlass1.Id, $breakGlass2.Id)
}
# MicrosoftAdminPortals app ID
applications = @{ includeApplications = @("MicrosoftAdminPortals") }
clientAppTypes = @("all")
}
grantControls = @{
operator = "OR"
builtInControls = @("compliantDevice", "domainJoinedDevice")
}
}
$newPolicy = New-MgIdentityConditionalAccessPolicy -BodyParameter $policyParams
Write-Host "Created policy: $($newPolicy.DisplayName) in Report-Only mode"
Confirm Admin Devices Are Compliant
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All"
Get-MgDeviceManagementManagedDevice -All |
Group-Object ComplianceState |
Select-Object Name, Count |
Format-Table
Verification Checklist
Policy Configuration
- Conditional Access policy targets the intended admin directory roles
- Target resource is Microsoft Admin Portals (or All cloud apps by choice)
- Grant control requires a compliant (or hybrid-joined) device
- Emergency access accounts are excluded
- Policy is On after report-only validation
Access Testing
- Admin sign-in from a compliant device is allowed
- Admin sign-in from an unmanaged/non-compliant device is blocked
- Emergency access account can sign in from any device
Prerequisite Health
- Device compliance policies exist and are assigned to admin devices
- "Devices with no compliance policy" are treated as Not compliant
- Admin devices report as Compliant in Intune
Troubleshooting
Admin Blocked Despite a Managed Device
Symptom: A legitimate admin on a managed device cannot reach admin portals.
Solutions:
- Confirm the device shows Compliant in Intune (Devices > device > Device compliance)
- Force a sync from the Company Portal app
- Ensure the Entra device registration and Intune enrollment are aligned (no stale duplicate device object)
- Use Conditional Access > What If to trace the evaluation
Policy Shows "Not Applied"
Symptom: Sign-in logs show the policy did not apply to an admin.
Solutions:
- Verify the user actually holds one of the included directory roles
- Confirm the sign-in targeted the Microsoft Admin Portals app (or your chosen resource)
- Ensure the policy is On, and the user is not in the exclusion list
Emergency Account Blocked
Symptom: A break-glass account is blocked for non-compliance.
Solutions:
- Verify the account is in the policy exclusion list (no UPN typo)
- Confirm no other device-compliance policy applies to it
Cost Considerations
| Feature | License Required | Approximate Cost |
|---|---|---|
| Conditional Access with device conditions | Microsoft Entra ID P1 | ~$6/user/mo (included in M365 E3/E5, Business Premium) |
| Device compliance evaluation | Microsoft Intune | Included in M365 Business Premium (~$22/user/mo), E3/E5, EMS |
| Microsoft Defender integration (optional) | Defender for Endpoint P1/P2 | P1: ~$3/user/mo, P2: ~$5.20/user/mo |
Scope P1 and Intune to the administrators covered by this policy; you do not need to license every user to protect admin access.
Related Controls
- DV-02: Require Compliant Devices for Global Admins - The critical, Global Admin-specific version of this control
- CA-06: Privileged Access Workstations - Restrict admin access to dedicated hardened devices (Level 3)
- CA-05: App Protection for Mobile Access - Protect data on unmanaged mobile devices
- PA-03: Configure Emergency Access Accounts - Ensure break-glass accounts exist and are excluded