DV-01: Require Compliant Devices for Admin Access

Overview

This guide walks you through creating a Conditional Access policy that requires administrators to sign in from compliant or Microsoft Entra hybrid-joined devices when reaching admin portals. Only managed, healthy devices you control can perform privileged operations; unmanaged personal devices are blocked. Enrolling devices in Intune and configuring compliance policies is the prerequisite that this control builds on.

Control ID: DV-01 Category: Device Trust Baseline Level: Level 2 (Enhanced Security) Severity: High License Required: Microsoft Entra ID P1 (for Conditional Access) + Microsoft Intune (for compliance)

Why This Matters

A compromised or unmanaged device can have keyloggers, malware, or screen capture tools. Requiring managed, compliant devices for admin access ensures that privileged actions occur from endpoints you control and monitor.

Expected State

  • A Conditional Access policy requires compliant or Entra hybrid-joined devices for admin portals
  • Policy targets the Microsoft Admin Portals app (or specific admin URLs)
  • Unmanaged personal devices cannot access admin functions

Prerequisites

Required Roles

  • Conditional Access Administrator (recommended - least privilege) or Global Administrator to create the policy
  • Intune Administrator to confirm or create device compliance policies

Required Licenses

  • Microsoft Entra ID P1 or higher (required for Conditional Access and device conditions)
  • Microsoft Intune (required to enroll devices and evaluate compliance)
  • Included in: Microsoft 365 Business Premium, E3, E5, or EMS E3/E5

Pre-Configuration Requirements (Intune is the prerequisite)

Before creating the Conditional Access policy, the device management foundation must exist:

  1. Intune is set up and admins' devices are enrolled (MDM enrollment or co-management)
  2. Device compliance policies exist and are assigned (see the prerequisite steps below)
  3. Admin devices report as compliant in the Intune admin center
  4. Emergency access accounts are identified so they can be excluded from the policy

Time Estimate

TaskDuration
Prerequisite: confirm/create compliance policies30-60 minutes (skip if already done)
Create the Conditional Access policy15-20 minutes
Report-only testing2-3 days
Full enablement10 minutes
Total1-3 days including testing

Step-by-Step Instructions

Prerequisite: Ensure Device Compliance Policies Exist

Conditional Access can only require "compliant device" if compliance policies are defining what compliant means. If you have already deployed compliance policies, skip to Step 1.

  1. Sign in to the Microsoft Intune admin center
  2. Navigate to Devices > Compliance > Policies
  3. Confirm a policy exists for each platform your admins use (Windows, macOS, iOS, Android)
  4. If none exist, click + Create policy, select the platform, and configure a baseline (for example, for Windows: require BitLocker, Secure Boot, code integrity, a password, and Microsoft Defender real-time protection), then assign it to your admin device group
  5. Under Devices > Compliance > Compliance policy settings, set Mark devices with no compliance policy assigned as to Not compliant
  6. Verify your admin devices show Compliant under Devices > All devices

This is the prerequisite. The control itself is the Conditional Access policy in the steps below.

Step 1: Navigate to Conditional Access

  1. Sign in to the Microsoft Entra admin center
  2. Navigate to Protection > Conditional Access
  3. Click Policies

Step 2: Create the Admin Access Policy

  1. Click + New policy
  2. Enter a name: Require Compliant Device for Admin Access

Step 3: Configure Users

  1. Under Assignments, click Users
  2. Select Include > Select users and groups > Directory roles
  3. Select the administrative roles that should require a managed device, for example:
    • Global Administrator
    • Privileged Role Administrator
    • Security Administrator
    • Exchange Administrator
    • SharePoint Administrator
    • User Administrator
    • Intune Administrator
    • Conditional Access Administrator
    • Application Administrator
  4. Under Exclude, add your emergency access (break-glass) accounts

Important: Always exclude emergency access accounts so a device or Intune outage cannot lock every admin out.

Step 4: Configure Target Resources

  1. Under Target resources, click Cloud apps (or Target resources)
  2. Select Include > Select apps
  3. Select Microsoft Admin Portals

The Microsoft Admin Portals app covers the Entra admin center, Microsoft 365 admin center, Intune, Azure portal, and other admin consoles in one resource.

Alternative (broader): Select All cloud apps if you want every resource, not just admin portals, to require a compliant device for these admin roles.

Step 5: Configure Access Controls

  1. Under Access controls, click Grant
  2. Select Grant access
  3. Check Require device to be marked as compliant
  4. Also check Require Microsoft Entra hybrid joined device if you use hybrid-joined endpoints
  5. If you selected both, choose Require one of the selected controls
  6. Click Select

Step 6: Test in Report-Only, Then Enable

  1. Under Enable policy, select Report-only
  2. Click Create
  3. Monitor for 2-3 days under Protection > Conditional Access > Insights and reporting and in Sign-in logs (Conditional Access tab)
  4. Confirm admin sign-ins from compliant devices would be allowed and unmanaged devices would be blocked
  5. Edit the policy and change Enable policy to On

PowerShell Configuration

Create the Admin Access Policy via Graph API

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess", "Directory.Read.All"

# Break-glass accounts to exclude
$breakGlass1 = Get-MgUser -Filter "userPrincipalName eq 'BreakGlass1@contoso.onmicrosoft.com'"
$breakGlass2 = Get-MgUser -Filter "userPrincipalName eq 'BreakGlass2@contoso.onmicrosoft.com'"

$policyParams = @{
    displayName = "Require Compliant Device for Admin Access"
    state = "enabledForReportingButNotEnforced"
    conditions = @{
        users = @{
            includeRoles = @(
                "62e90394-69f5-4237-9190-012177145e10" # Global Administrator
                "e8611ab8-c189-46e8-94e1-60213ab1f814" # Privileged Role Administrator
                "194ae4cb-b126-40b2-bd5b-6091b380977d" # Security Administrator
                "29232cdf-9323-42fd-ade2-1d097af3e4de" # Exchange Administrator
                "f28a1f50-f6e7-4571-818b-6a12f2af6b6c" # SharePoint Administrator
                "3a2c62db-5318-420d-8d74-23affee5d9d5" # Intune Administrator
            )
            excludeUsers = @($breakGlass1.Id, $breakGlass2.Id)
        }
        # MicrosoftAdminPortals app ID
        applications = @{ includeApplications = @("MicrosoftAdminPortals") }
        clientAppTypes = @("all")
    }
    grantControls = @{
        operator = "OR"
        builtInControls = @("compliantDevice", "domainJoinedDevice")
    }
}

$newPolicy = New-MgIdentityConditionalAccessPolicy -BodyParameter $policyParams
Write-Host "Created policy: $($newPolicy.DisplayName) in Report-Only mode"

Confirm Admin Devices Are Compliant

Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All"

Get-MgDeviceManagementManagedDevice -All |
    Group-Object ComplianceState |
    Select-Object Name, Count |
    Format-Table

Verification Checklist

Policy Configuration

  • Conditional Access policy targets the intended admin directory roles
  • Target resource is Microsoft Admin Portals (or All cloud apps by choice)
  • Grant control requires a compliant (or hybrid-joined) device
  • Emergency access accounts are excluded
  • Policy is On after report-only validation

Access Testing

  • Admin sign-in from a compliant device is allowed
  • Admin sign-in from an unmanaged/non-compliant device is blocked
  • Emergency access account can sign in from any device

Prerequisite Health

  • Device compliance policies exist and are assigned to admin devices
  • "Devices with no compliance policy" are treated as Not compliant
  • Admin devices report as Compliant in Intune

Troubleshooting

Admin Blocked Despite a Managed Device

Symptom: A legitimate admin on a managed device cannot reach admin portals.

Solutions:

  1. Confirm the device shows Compliant in Intune (Devices > device > Device compliance)
  2. Force a sync from the Company Portal app
  3. Ensure the Entra device registration and Intune enrollment are aligned (no stale duplicate device object)
  4. Use Conditional Access > What If to trace the evaluation

Policy Shows "Not Applied"

Symptom: Sign-in logs show the policy did not apply to an admin.

Solutions:

  1. Verify the user actually holds one of the included directory roles
  2. Confirm the sign-in targeted the Microsoft Admin Portals app (or your chosen resource)
  3. Ensure the policy is On, and the user is not in the exclusion list

Emergency Account Blocked

Symptom: A break-glass account is blocked for non-compliance.

Solutions:

  1. Verify the account is in the policy exclusion list (no UPN typo)
  2. Confirm no other device-compliance policy applies to it

Cost Considerations

FeatureLicense RequiredApproximate Cost
Conditional Access with device conditionsMicrosoft Entra ID P1~$6/user/mo (included in M365 E3/E5, Business Premium)
Device compliance evaluationMicrosoft IntuneIncluded in M365 Business Premium (~$22/user/mo), E3/E5, EMS
Microsoft Defender integration (optional)Defender for Endpoint P1/P2P1: ~$3/user/mo, P2: ~$5.20/user/mo

Scope P1 and Intune to the administrators covered by this policy; you do not need to license every user to protect admin access.


Related Controls


Additional Resources