DV-02: Require Compliant Devices for Global Admins
Overview
This guide walks you through creating a Conditional Access policy that requires the Global Administrator role to sign in from compliant (Intune-managed) devices. It narrows device enforcement to your most powerful role: every Global Admin sign-in must come from a trusted, hardened, managed device. Broader coverage of other admin roles is handled by DV-01.
Control ID: DV-02 Category: Device Trust Baseline Level: Level 2 (Enhanced Security) Severity: Critical License Required: Microsoft Entra ID P1 + Microsoft Intune
Why This Matters
Admin credentials on non-compliant devices are at high risk. Keyloggers, malware, and credential theft are common on unmanaged devices. Requiring compliance ensures admin actions occur from secured endpoints. Global Administrator is the highest-impact role in the tenant, so it gets the strictest, dedicated device requirement.
Expected State
- All Global Administrator sign-ins require compliant devices
- Devices are enrolled in Intune with compliance policies
- Non-compliant devices cannot access admin portals
Prerequisites
Required Roles
You need one of the following Entra ID roles:
- Conditional Access Administrator (recommended - least privilege)
- Security Administrator
- Global Administrator
Required Licenses
- Microsoft Entra ID P1 or higher for each administrator
- Microsoft Intune license for each administrator's device
- Included in: Microsoft 365 E3, E5, EMS E3/E5, or Business Premium
Pre-Configuration Requirements
Before creating this policy, ensure:
- Device compliance policies exist (see DV-01 guide)
- Admin devices are enrolled in Intune
- Admin devices are compliant with your compliance policies
- Emergency access accounts are excluded from device requirements
- A pilot group is ready for testing before full rollout
Time Estimate
| Task | Duration |
|---|---|
| Verify admin device enrollment | 15-20 minutes |
| Create Conditional Access policy | 15-20 minutes |
| Pilot testing | 2-3 days |
| Full rollout | 10 minutes |
| Total | 2-3 days including testing |
Step-by-Step Instructions
Step 1: Verify Admin Device Compliance
Before enforcing the policy, ensure all admin devices are enrolled and compliant:
- Sign in to the Microsoft Intune admin center
- Navigate to Devices > All devices
- Filter by user or search for admin accounts
- Verify each admin's device shows:
- Managed by: Intune (or Co-managed)
- Compliance: Compliant
If any admin devices are not enrolled or compliant, address this before enabling the policy.
Step 2: Create Global Admin Device Group (Optional)
Targeting the Global Administrator directory role directly (Step 4) is simplest and recommended. If you prefer a group, create one scoped to Global Administrators:
- Sign in to the Microsoft Entra admin center
- Navigate to Identity > Groups > All groups
- Click + New group
- Configure:
- Group type: Security
- Group name:
Global Administrators - Device Required - Membership type: Assigned (manually manage) or Dynamic User
- For dynamic membership, use a rule like:
(user.assignedPlans -any (assignedPlan.servicePlanId -eq "41781fb2-bc02-4b7c-bd55-b576c07bb09d" -and assignedPlan.capabilityStatus -eq "Enabled"))
(This targets users with Azure AD Premium P2, adjust as needed) 6. Alternatively, manually add all users with privileged roles 7. Click Create
Step 3: Navigate to Conditional Access
- Sign in to the Microsoft Entra admin center
- Navigate to Protection > Conditional Access
- Click Policies
Step 4: Create the Global Admin Device Policy
- Click + New policy
- Enter name:
Require Compliant Device for Global Administrators
Configure Users:
-
Under Assignments, click Users
-
Select Include > Select users and groups > Directory roles
-
Select the Global Administrator role
This control is scoped specifically to Global Administrator, the highest-impact role. To require compliant devices for the broader set of admin roles (Security Administrator, Exchange Administrator, and so on), use DV-01 rather than widening this policy.
-
Under Exclude:
- Click Users and groups
- Add your emergency access accounts (e.g.,
BreakGlass1@contoso.onmicrosoft.com)
Important: Always exclude emergency access accounts. They must be able to sign in without device requirements in case of lockout.
Configure Target Resources:
- Under Target resources, click Cloud apps
- Select All cloud apps
- Optionally, exclude specific apps that don't support device compliance (rare)
Configure Conditions (Optional):
- Under Conditions, you may configure:
- Device platforms: Select only Windows, macOS, iOS, Android (exclude browsers-only if needed)
- Leave other conditions unconfigured for maximum protection
Configure Access Controls:
- Under Access controls, click Grant
- Select Grant access
- Check Require device to be marked as compliant
- Optionally, also check Require Microsoft Entra hybrid joined device (for hybrid environments)
- For multiple controls, select Require one of the selected controls or Require all the selected controls based on your requirements
- Click Select
Enable the Policy:
- Under Enable policy, select Report-only
- Click Create
Step 5: Test in Report-Only Mode
- Monitor the policy for 2-3 days
- Navigate to Protection > Conditional Access > Insights and reporting
- Filter for your new policy
- Review which sign-ins would be blocked or allowed
- Check the Sign-in logs for detailed analysis:
- Navigate to Monitoring > Sign-in logs
- Click on admin sign-ins
- Review the Conditional Access tab
Step 6: Enable the Policy
After validating in report-only mode:
- Navigate to Conditional Access > Policies
- Click on
Require Compliant Device for Global Administrators - Change Enable policy to On
- Click Save
PowerShell Configuration
Create Conditional Access Policy via Graph API
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess", "Application.Read.All", "Directory.Read.All"
# Get the Global Administrator role ID for targeting (this control is Global Admin only)
$globalAdminRole = Get-MgDirectoryRole -Filter "displayName eq 'Global Administrator'"
# Get break-glass account IDs
$breakGlass1 = Get-MgUser -Filter "userPrincipalName eq 'BreakGlass1@contoso.onmicrosoft.com'"
$breakGlass2 = Get-MgUser -Filter "userPrincipalName eq 'BreakGlass2@contoso.onmicrosoft.com'"
# Define the policy
$policyParams = @{
displayName = "Require Compliant Device for Global Administrators"
state = "enabledForReportingButNotEnforced"
conditions = @{
users = @{
includeRoles = @(
"62e90394-69f5-4237-9190-012177145e10" # Global Administrator (scope this control to Global Admin only)
)
excludeUsers = @(
$breakGlass1.Id
$breakGlass2.Id
)
}
applications = @{
includeApplications = @("All")
}
clientAppTypes = @("all")
}
grantControls = @{
operator = "OR"
builtInControls = @("compliantDevice")
}
}
# Create the policy
$newPolicy = New-MgIdentityConditionalAccessPolicy -BodyParameter $policyParams
Write-Host "Created policy: $($newPolicy.DisplayName) in Report-Only mode"
Write-Host "Policy ID: $($newPolicy.Id)"
Check Admin Device Compliance Status
# Connect to Graph
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All", "RoleManagement.Read.Directory"
# Get all users with privileged roles
$privilegedRoles = @(
"Global Administrator",
"Security Administrator",
"Privileged Role Administrator",
"User Administrator"
)
$admins = @()
foreach ($roleName in $privilegedRoles) {
$role = Get-MgDirectoryRole -Filter "displayName eq '$roleName'" -ErrorAction SilentlyContinue
if ($role) {
$members = Get-MgDirectoryRoleMember -DirectoryRoleId $role.Id -All
$admins += $members | Where-Object { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.user' }
}
}
$admins = $admins | Select-Object -Unique Id
# Check device compliance for each admin
Write-Host "`nAdmin Device Compliance Status:`n"
foreach ($admin in $admins) {
$user = Get-MgUser -UserId $admin.Id -Property DisplayName, UserPrincipalName
$devices = Get-MgUserOwnedDevice -UserId $admin.Id -All | Where-Object {
$_.AdditionalProperties.isManaged -eq $true
}
Write-Host "User: $($user.DisplayName) ($($user.UserPrincipalName))"
if ($devices.Count -eq 0) {
Write-Host " WARNING: No managed devices found" -ForegroundColor Yellow
} else {
foreach ($device in $devices) {
$managedDevice = Get-MgDeviceManagementManagedDevice -Filter "azureADDeviceId eq '$($device.Id)'" -ErrorAction SilentlyContinue
if ($managedDevice) {
$status = if ($managedDevice.ComplianceState -eq "compliant") { "Compliant" } else { "NOT COMPLIANT" }
$color = if ($managedDevice.ComplianceState -eq "compliant") { "Green" } else { "Red" }
Write-Host " Device: $($managedDevice.DeviceName) - $status" -ForegroundColor $color
}
}
}
Write-Host ""
}
List Policy Impact via Sign-in Logs
# Connect to Graph
Connect-MgGraph -Scopes "AuditLog.Read.All"
# Get recent admin sign-ins and check device status
$adminSignIns = Get-MgAuditLogSignIn -Top 100 -Filter "conditionalAccessStatus ne 'notApplied'" |
Where-Object { $_.ConditionalAccessPolicies.DisplayName -contains "Require Compliant Device for Administrators" }
$adminSignIns | Select-Object @{N='User';E={$_.UserDisplayName}},
@{N='App';E={$_.AppDisplayName}},
@{N='Device';E={$_.DeviceDetail.DisplayName}},
@{N='Compliant';E={$_.DeviceDetail.IsCompliant}},
@{N='Result';E={$_.Status.ErrorCode}},
CreatedDateTime |
Format-Table
Verification Checklist
After enabling the policy, verify successful implementation:
Policy Configuration
- Policy is created and in "On" state (after testing in Report-only)
- The Global Administrator role is included (and only that role for this control)
- Emergency access accounts are excluded
- "Require device to be marked as compliant" is configured as grant control
Global Admin Access Testing
- Sign in as a Global Administrator from a compliant device - access should be granted
- Sign in as a Global Administrator from a non-compliant device - access should be blocked
- Sign in as a Global Administrator from an unmanaged device - access should be blocked
- Sign in as an emergency access account from any device - access should be granted
Sign-in Log Validation
- Check Monitoring > Sign-in logs for admin sign-ins
- Verify policy is applied (not "Not applied") in the Conditional Access tab
- Confirm successful sign-ins show compliant device information
Emergency Access Validation
- Sign in with emergency access account from an unmanaged device
- Verify access is granted without device compliance requirement
- Document this test for audit purposes
Troubleshooting
Admin Blocked from Signing In
Symptom: Administrator cannot access resources despite having a compliant device.
Solutions:
- Verify the device is enrolled in Intune:
- Check Intune admin center > Devices > search for the device
- Verify device compliance status:
- Device must show "Compliant" status
- Check Devices > [device] > Device compliance for specific failures
- Force device sync:
- On the device, open Company Portal and trigger sync
- Check for stale device registration:
- The Entra device registration and Intune enrollment must be aligned
- Use the "What If" tool:
- Conditional Access > What If > select user and resource
Policy Not Being Applied
Symptom: Sign-in logs show the policy as "Not applied."
Solutions:
- Verify the user has a privileged role that is included in the policy
- Check if another policy is granting access before this policy evaluates
- Ensure the policy is set to "On" (not "Report-only")
- Review exclusions - user may be in an excluded group
Emergency Account Still Requires Compliance
Symptom: Break-glass account is blocked for non-compliance.
Solutions:
- Verify the emergency account is in the policy exclusion list
- Check for typos in the excluded account UPNs
- Ensure no other CA policy is requiring device compliance for this account
- Review policy evaluation order
Users on Shared/Kiosk Devices
Symptom: Admins cannot access from shared workstations.
Solutions:
- Consider Shared Device Mode for specific devices
- Create an exception group for specific shared device scenarios
- Alternatively, require admins to use dedicated admin workstations (PAW)
- Use Azure Virtual Desktop for privileged access from non-compliant devices
Policy Configuration Summary
| Setting | Value |
|---|---|
| Policy Name | Require Compliant Device for Global Administrators |
| Users - Include | Directory role: Global Administrator |
| Users - Exclude | Emergency access accounts |
| Cloud Apps | All cloud apps |
| Conditions | None (applies to all platforms) |
| Grant | Require device to be marked as compliant |
| Session | None |
| Enable Policy | On (after Report-only testing) |
Related Controls
- DV-01: Require Compliant Devices for Admin Access - Extends the device requirement to the broader set of admin roles
- PA-03: Configure Emergency Access Accounts - Ensure break-glass accounts exist and are excluded
- CA-06: Restrict Admin Access to Privileged Access Workstations - Advanced device security for admins (Level 3)
- PA-05: Require Phishing-Resistant MFA for Admins - Additional authentication protection