DV-03: Require Device Compliance for All Users

Overview

This guide walks you through creating a Conditional Access policy that requires a compliant or Microsoft Entra hybrid-joined device for all users accessing cloud apps. This is the tenant-wide extension of the admin-only device controls (DV-01 and DV-02): instead of protecting just privileged sign-ins, it ensures every user reaches corporate resources from a managed, healthy endpoint you control. It is a maximum-security (Level 3) control and depends on device management (Intune) already being in place.

Control ID: DV-03 Category: Conditional Access Baseline Level: Level 3 (Maximum Security) Severity: Medium License Required: Microsoft Entra ID P1 (for Conditional Access) plus Microsoft Intune (for device enrollment and compliance policies)

Why This Matters

Unmanaged devices can have keyloggers, malware, or lack encryption. Requiring device compliance for all users ensures corporate data is only accessed from endpoints you control. This is a comprehensive Zero Trust control.

Once every sign-in must come from a managed device, a stolen password alone is not enough. The attacker also needs an enrolled, compliant endpoint, which is a far higher bar. The trade-off is operational: every user must have an enrolled device, so this control belongs in environments that have finished their Intune rollout.

Expected State

  • A Conditional Access policy requires compliant or hybrid-joined device for all users
  • All cloud applications are covered
  • Emergency access accounts are excluded

Prerequisites

RequirementDetails
Role RequiredConditional Access Administrator or Security Administrator (Global Administrator also works)
License RequiredMicrosoft Entra ID P1 for Conditional Access, plus Microsoft Intune for device management
AccessMicrosoft Entra admin center and Microsoft Intune admin center
Completed PrerequisitesDevices enrolled in Intune with compliance policies assigned, and emergency access accounts in place

Before You Start

  1. Intune enrollment must be broad. This is the hard prerequisite. If a population is not enrolled and compliant, this policy will lock them out. Confirm enrollment coverage before enforcing.
  2. Compliance policies must exist and be assigned so devices can actually report compliant (see DV-01).
  3. Plan for non-standard access: kiosks, contractors on personal devices, and platforms you do not manage may need scoped exclusions or an alternative control (for example, app protection policies, see CA-05).

Time Estimate

TaskDuration
Confirm enrollment and compliance coverage30-60 minutes
Create the CA policy (report-only)15 minutes
Validate impact in report-onlyValidation window (days to weeks)
Enforce and monitor15 minutes plus ongoing
Total active work~1 hour plus a substantial validation window

TrueConfig Remediation

This control supports one-click enablement. TrueConfig can create the Conditional Access policy requiring device compliance in report-only mode for you. Because this is a tenant-wide control with real lockout potential, treat report-only validation as mandatory before enforcing. Prerequisite: Intune enrollment is required, users without an enrolled, compliant device will be blocked once the policy is enforced. After validation, switch the policy to On to reach the enforced expected state. The steps below cover the manual path.


Step-by-Step Instructions

Step 1: Confirm Device Enrollment and Compliance

  1. In the Microsoft Intune admin center, go to Devices and review enrollment coverage.
  2. Confirm compliance policies exist and are assigned (encryption, OS version, defender health, etc.). See DV-01 for compliance policy setup.
  3. In the Entra admin center, go to Devices > All devices and confirm devices show as Compliant and Entra joined or Entra hybrid joined.
  4. Do not proceed to enforcement until coverage is broad enough that enforcing will not lock out legitimate users.

Step 2: Create the Conditional Access Policy in Report-Only

  1. Sign in to the Microsoft Entra admin center.
  2. Go to Protection > Conditional Access > Policies > + New policy.
  3. Name it, for example, Require Compliant Device - All Users.

Users:

  • Under Include, select All users.
  • Under Exclude:
    • Add your emergency access accounts.
    • Add any documented, scoped exception groups (kiosks, unmanaged-device contractors) with a compensating control.

Target resources:

  • Under Include, select All cloud apps.

Grant:

  • Select Grant access.
  • Check Require device to be marked as compliant.
  • Also check Require Microsoft Entra hybrid joined device.
  • Choose Require one of the selected controls.
  • Click Select.

Enable policy:

  • Set to Report-only.
  • Click Create.

Step 3: Validate in Report-Only

  1. Go to Conditional Access > Insights and reporting.
  2. Select the new policy and a representative time range.
  3. Review sign-ins that would be blocked. Each one is a user or scenario that is not on a compliant/hybrid-joined device.
  4. Resolve the gaps: enroll those devices, fix compliance failures, or add a documented exclusion for genuine edge cases.

Step 4: Enforce the Policy

  1. When report-only shows only expected blocks, edit the policy.
  2. Set Enable policy to On and save.
  3. From this point, all included users must sign in from a compliant or hybrid-joined device.

Step 5: Monitor After Enforcement

  1. Go to Monitoring & health > Sign-in logs.
  2. Filter by this Conditional Access policy and status Failure.
  3. Investigate blocks: newly issued devices not yet compliant, drifted compliance, or platforms that need a scoped exception.

Verification Checklist

  • Intune enrollment and compliance policies cover the user base
  • Devices report as compliant and Entra joined / hybrid joined
  • A Conditional Access policy targets All users for All cloud apps
  • Grant requires compliant or hybrid-joined device
  • Emergency access accounts are excluded
  • Any additional exclusions are documented with a compensating control
  • Policy validated in report-only with only expected blocks
  • Policy is enabled (On), not left in report-only
  • Post-enforcement sign-in failures are monitored

Troubleshooting

"Legitimate users are locked out after enforcement"

Their device is not enrolled or not compliant. Enroll it in Intune and resolve the compliance failure, or temporarily exclude the user with documented approval while remediation happens. This is why report-only validation and enrollment coverage come first.

"Mobile users are blocked but we allow app-based access"

Requiring a compliant device is stricter than requiring an app protection policy. If you intend to allow managed-app access on mobile, use a separate policy with app protection (see CA-05) for those platforms and scope this compliant-device policy to the platforms you fully manage.

"A device shows non-compliant but looks fine"

Check the specific compliance policy result on the device in Intune (encryption, OS version, Defender status, grace period). Compliance can drift; the device must currently satisfy the assigned policy.

"Contractors on personal devices cannot work"

Personal, unmanaged devices will fail this control by design. Either enroll them, provide managed devices, or place those users in a documented exclusion group governed by an alternative control such as app protection policies.

"The policy is not applying"

Confirm the policy is On, the user is in the included All users scope and not in an exclusion, and that the target resources include the app being accessed. Use the What If tool to diagnose.


Cost Considerations

ComponentCost Impact
Microsoft Entra ID P1Required for Conditional Access. Included in Microsoft 365 Business Premium, E3, E5.
Microsoft IntuneRequired for enrollment and compliance. Included in Microsoft 365 E3/E5, EMS, and Business Premium.
OperationalThe largest cost is the enrollment program itself: getting every user onto a managed device and keeping compliance healthy.

Note: DV-03 is a Level 3 control precisely because of the enrollment prerequisite. If full-fleet enrollment is not realistic yet, start with DV-01 and DV-02 (admin and Global Admin devices) and expand later.


Related Controls

Additional Resources