DV-02: Require Compliant Devices for Global Admins

Overview

This guide walks you through creating a Conditional Access policy that requires the Global Administrator role to sign in from compliant (Intune-managed) devices. It narrows device enforcement to your most powerful role: every Global Admin sign-in must come from a trusted, hardened, managed device. Broader coverage of other admin roles is handled by DV-01.

Control ID: DV-02 Category: Device Trust Baseline Level: Level 2 (Enhanced Security) Severity: Critical License Required: Microsoft Entra ID P1 + Microsoft Intune

Why This Matters

Admin credentials on non-compliant devices are at high risk. Keyloggers, malware, and credential theft are common on unmanaged devices. Requiring compliance ensures admin actions occur from secured endpoints. Global Administrator is the highest-impact role in the tenant, so it gets the strictest, dedicated device requirement.

Expected State

  • All Global Administrator sign-ins require compliant devices
  • Devices are enrolled in Intune with compliance policies
  • Non-compliant devices cannot access admin portals

Prerequisites

Required Roles

You need one of the following Entra ID roles:

  • Conditional Access Administrator (recommended - least privilege)
  • Security Administrator
  • Global Administrator

Required Licenses

  • Microsoft Entra ID P1 or higher for each administrator
  • Microsoft Intune license for each administrator's device
  • Included in: Microsoft 365 E3, E5, EMS E3/E5, or Business Premium

Pre-Configuration Requirements

Before creating this policy, ensure:

  1. Device compliance policies exist (see DV-01 guide)
  2. Admin devices are enrolled in Intune
  3. Admin devices are compliant with your compliance policies
  4. Emergency access accounts are excluded from device requirements
  5. A pilot group is ready for testing before full rollout

Time Estimate

TaskDuration
Verify admin device enrollment15-20 minutes
Create Conditional Access policy15-20 minutes
Pilot testing2-3 days
Full rollout10 minutes
Total2-3 days including testing

Step-by-Step Instructions

Step 1: Verify Admin Device Compliance

Before enforcing the policy, ensure all admin devices are enrolled and compliant:

  1. Sign in to the Microsoft Intune admin center
  2. Navigate to Devices > All devices
  3. Filter by user or search for admin accounts
  4. Verify each admin's device shows:
    • Managed by: Intune (or Co-managed)
    • Compliance: Compliant

If any admin devices are not enrolled or compliant, address this before enabling the policy.

Step 2: Create Global Admin Device Group (Optional)

Targeting the Global Administrator directory role directly (Step 4) is simplest and recommended. If you prefer a group, create one scoped to Global Administrators:

  1. Sign in to the Microsoft Entra admin center
  2. Navigate to Identity > Groups > All groups
  3. Click + New group
  4. Configure:
    • Group type: Security
    • Group name: Global Administrators - Device Required
    • Membership type: Assigned (manually manage) or Dynamic User
  5. For dynamic membership, use a rule like:
(user.assignedPlans -any (assignedPlan.servicePlanId -eq "41781fb2-bc02-4b7c-bd55-b576c07bb09d" -and assignedPlan.capabilityStatus -eq "Enabled"))

(This targets users with Azure AD Premium P2, adjust as needed) 6. Alternatively, manually add all users with privileged roles 7. Click Create

Step 3: Navigate to Conditional Access

  1. Sign in to the Microsoft Entra admin center
  2. Navigate to Protection > Conditional Access
  3. Click Policies

Step 4: Create the Global Admin Device Policy

  1. Click + New policy
  2. Enter name: Require Compliant Device for Global Administrators

Configure Users:

  1. Under Assignments, click Users

  2. Select Include > Select users and groups > Directory roles

  3. Select the Global Administrator role

    This control is scoped specifically to Global Administrator, the highest-impact role. To require compliant devices for the broader set of admin roles (Security Administrator, Exchange Administrator, and so on), use DV-01 rather than widening this policy.

  4. Under Exclude:

    • Click Users and groups
    • Add your emergency access accounts (e.g., BreakGlass1@contoso.onmicrosoft.com)

Important: Always exclude emergency access accounts. They must be able to sign in without device requirements in case of lockout.

Configure Target Resources:

  1. Under Target resources, click Cloud apps
  2. Select All cloud apps
  3. Optionally, exclude specific apps that don't support device compliance (rare)

Configure Conditions (Optional):

  1. Under Conditions, you may configure:
    • Device platforms: Select only Windows, macOS, iOS, Android (exclude browsers-only if needed)
    • Leave other conditions unconfigured for maximum protection

Configure Access Controls:

  1. Under Access controls, click Grant
  2. Select Grant access
  3. Check Require device to be marked as compliant
  4. Optionally, also check Require Microsoft Entra hybrid joined device (for hybrid environments)
  5. For multiple controls, select Require one of the selected controls or Require all the selected controls based on your requirements
  6. Click Select

Enable the Policy:

  1. Under Enable policy, select Report-only
  2. Click Create

Step 5: Test in Report-Only Mode

  1. Monitor the policy for 2-3 days
  2. Navigate to Protection > Conditional Access > Insights and reporting
  3. Filter for your new policy
  4. Review which sign-ins would be blocked or allowed
  5. Check the Sign-in logs for detailed analysis:
    • Navigate to Monitoring > Sign-in logs
    • Click on admin sign-ins
    • Review the Conditional Access tab

Step 6: Enable the Policy

After validating in report-only mode:

  1. Navigate to Conditional Access > Policies
  2. Click on Require Compliant Device for Global Administrators
  3. Change Enable policy to On
  4. Click Save

PowerShell Configuration

Create Conditional Access Policy via Graph API

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess", "Application.Read.All", "Directory.Read.All"

# Get the Global Administrator role ID for targeting (this control is Global Admin only)
$globalAdminRole = Get-MgDirectoryRole -Filter "displayName eq 'Global Administrator'"

# Get break-glass account IDs
$breakGlass1 = Get-MgUser -Filter "userPrincipalName eq 'BreakGlass1@contoso.onmicrosoft.com'"
$breakGlass2 = Get-MgUser -Filter "userPrincipalName eq 'BreakGlass2@contoso.onmicrosoft.com'"

# Define the policy
$policyParams = @{
    displayName = "Require Compliant Device for Global Administrators"
    state = "enabledForReportingButNotEnforced"
    conditions = @{
        users = @{
            includeRoles = @(
                "62e90394-69f5-4237-9190-012177145e10" # Global Administrator (scope this control to Global Admin only)
            )
            excludeUsers = @(
                $breakGlass1.Id
                $breakGlass2.Id
            )
        }
        applications = @{
            includeApplications = @("All")
        }
        clientAppTypes = @("all")
    }
    grantControls = @{
        operator = "OR"
        builtInControls = @("compliantDevice")
    }
}

# Create the policy
$newPolicy = New-MgIdentityConditionalAccessPolicy -BodyParameter $policyParams

Write-Host "Created policy: $($newPolicy.DisplayName) in Report-Only mode"
Write-Host "Policy ID: $($newPolicy.Id)"

Check Admin Device Compliance Status

# Connect to Graph
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All", "RoleManagement.Read.Directory"

# Get all users with privileged roles
$privilegedRoles = @(
    "Global Administrator",
    "Security Administrator",
    "Privileged Role Administrator",
    "User Administrator"
)

$admins = @()
foreach ($roleName in $privilegedRoles) {
    $role = Get-MgDirectoryRole -Filter "displayName eq '$roleName'" -ErrorAction SilentlyContinue
    if ($role) {
        $members = Get-MgDirectoryRoleMember -DirectoryRoleId $role.Id -All
        $admins += $members | Where-Object { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.user' }
    }
}

$admins = $admins | Select-Object -Unique Id

# Check device compliance for each admin
Write-Host "`nAdmin Device Compliance Status:`n"

foreach ($admin in $admins) {
    $user = Get-MgUser -UserId $admin.Id -Property DisplayName, UserPrincipalName
    $devices = Get-MgUserOwnedDevice -UserId $admin.Id -All | Where-Object {
        $_.AdditionalProperties.isManaged -eq $true
    }

    Write-Host "User: $($user.DisplayName) ($($user.UserPrincipalName))"

    if ($devices.Count -eq 0) {
        Write-Host "  WARNING: No managed devices found" -ForegroundColor Yellow
    } else {
        foreach ($device in $devices) {
            $managedDevice = Get-MgDeviceManagementManagedDevice -Filter "azureADDeviceId eq '$($device.Id)'" -ErrorAction SilentlyContinue
            if ($managedDevice) {
                $status = if ($managedDevice.ComplianceState -eq "compliant") { "Compliant" } else { "NOT COMPLIANT" }
                $color = if ($managedDevice.ComplianceState -eq "compliant") { "Green" } else { "Red" }
                Write-Host "  Device: $($managedDevice.DeviceName) - $status" -ForegroundColor $color
            }
        }
    }
    Write-Host ""
}

List Policy Impact via Sign-in Logs

# Connect to Graph
Connect-MgGraph -Scopes "AuditLog.Read.All"

# Get recent admin sign-ins and check device status
$adminSignIns = Get-MgAuditLogSignIn -Top 100 -Filter "conditionalAccessStatus ne 'notApplied'" |
    Where-Object { $_.ConditionalAccessPolicies.DisplayName -contains "Require Compliant Device for Administrators" }

$adminSignIns | Select-Object @{N='User';E={$_.UserDisplayName}},
    @{N='App';E={$_.AppDisplayName}},
    @{N='Device';E={$_.DeviceDetail.DisplayName}},
    @{N='Compliant';E={$_.DeviceDetail.IsCompliant}},
    @{N='Result';E={$_.Status.ErrorCode}},
    CreatedDateTime |
    Format-Table

Verification Checklist

After enabling the policy, verify successful implementation:

Policy Configuration

  • Policy is created and in "On" state (after testing in Report-only)
  • The Global Administrator role is included (and only that role for this control)
  • Emergency access accounts are excluded
  • "Require device to be marked as compliant" is configured as grant control

Global Admin Access Testing

  • Sign in as a Global Administrator from a compliant device - access should be granted
  • Sign in as a Global Administrator from a non-compliant device - access should be blocked
  • Sign in as a Global Administrator from an unmanaged device - access should be blocked
  • Sign in as an emergency access account from any device - access should be granted

Sign-in Log Validation

  • Check Monitoring > Sign-in logs for admin sign-ins
  • Verify policy is applied (not "Not applied") in the Conditional Access tab
  • Confirm successful sign-ins show compliant device information

Emergency Access Validation

  • Sign in with emergency access account from an unmanaged device
  • Verify access is granted without device compliance requirement
  • Document this test for audit purposes

Troubleshooting

Admin Blocked from Signing In

Symptom: Administrator cannot access resources despite having a compliant device.

Solutions:

  1. Verify the device is enrolled in Intune:
    • Check Intune admin center > Devices > search for the device
  2. Verify device compliance status:
    • Device must show "Compliant" status
    • Check Devices > [device] > Device compliance for specific failures
  3. Force device sync:
    • On the device, open Company Portal and trigger sync
  4. Check for stale device registration:
    • The Entra device registration and Intune enrollment must be aligned
  5. Use the "What If" tool:
    • Conditional Access > What If > select user and resource

Policy Not Being Applied

Symptom: Sign-in logs show the policy as "Not applied."

Solutions:

  1. Verify the user has a privileged role that is included in the policy
  2. Check if another policy is granting access before this policy evaluates
  3. Ensure the policy is set to "On" (not "Report-only")
  4. Review exclusions - user may be in an excluded group

Emergency Account Still Requires Compliance

Symptom: Break-glass account is blocked for non-compliance.

Solutions:

  1. Verify the emergency account is in the policy exclusion list
  2. Check for typos in the excluded account UPNs
  3. Ensure no other CA policy is requiring device compliance for this account
  4. Review policy evaluation order

Users on Shared/Kiosk Devices

Symptom: Admins cannot access from shared workstations.

Solutions:

  1. Consider Shared Device Mode for specific devices
  2. Create an exception group for specific shared device scenarios
  3. Alternatively, require admins to use dedicated admin workstations (PAW)
  4. Use Azure Virtual Desktop for privileged access from non-compliant devices

Policy Configuration Summary

SettingValue
Policy NameRequire Compliant Device for Global Administrators
Users - IncludeDirectory role: Global Administrator
Users - ExcludeEmergency access accounts
Cloud AppsAll cloud apps
ConditionsNone (applies to all platforms)
GrantRequire device to be marked as compliant
SessionNone
Enable PolicyOn (after Report-only testing)

Related Controls


Additional Resources