Ensuring the security of Office 365 is critical, especially in a world where cyber threats are constantly evolving. While multi-factor authentication (MFA) and strong passwords add layers of protection, attackers continue to find ways around them. One of the best ways to tighten security is by restricting access to Office 365 based on specific devices. This can be achieved using Conditional Access Policies in Microsoft Entra (formerly Azure AD).
In this guide, we’ll walk through setting up Conditional Access Policies to lock down Office 365 so that only approved devices can access your Microsoft resources.
To allow only authorized devices, we need to add a device-based condition:
Device ID and use the equals condition.Before finalizing, verify that the policy works as intended:
By default, any new device trying to connect will be blocked. There are a couple of ways to onboard new devices:
Zero Trust security is a must in today’s IT landscape. However, Microsoft’s default setup allows all devices to connect until restrictions are manually configured. By implementing device-based Conditional Access Policies, you ensure that only authorized devices can access your organization’s Microsoft resources.
With this approach, even if credentials are stolen, unauthorized devices will be unable to access sensitive data—further strengthening your overall cybersecurity posture.
If you’re looking for more guidance on securing your Microsoft environment, feel free to reach out to us!
0:02 So, I just wanted to make a quick video on how to lock down Office 365 on a per-device basis.
0:10 So, this is going to be done through Conditional Access Policies. So, let’s go into Conditional Access here, Policies. What we’re going to do is create a new policy.
0:21 So, I actually have one already created. So, we’re going to go into Device Restriction. We’re going to tell it to include all users.
0:30 Make sure you exclude any break-glass accounts, so you don’t lock yourself out. We’re going to tell it to block access to all cloud apps.
0:40 So, pretty much across the board, any device in the world tries to log in, it’s going to be blocked.
0:46 They’re not going to be able to get into any Microsoft resource. What we’re going to then do is set up one condition here, which says filter for devices.
0:57 And then we’re going to exclude. So the default setting when you turn this on is, it’s going to be on include.
1:02 You want to make sure you turn this to exclude. Change this to device ID. We’re going to change that to equals.
1:09 And then we’re going to pull the device ID from another screen here. So, there’s so many different places to get to this.
1:18 But just for this quick video, it’s going to be intune.microsoft.com. This can be done on Windows, Mac, and iPhone devices.
1:28 The only thing to note on there is that for this policy to work properly, any device that you want to set this up on, it has to be either AzureJoin, EntraJoin, or IntuneJoin.
1:45 If it’s an iPhone or an Android, you want to use the company portal. Even if it’s a BYOD device, they can sign in with the company portal, and then that device is going to be registered. It’s going to show up here and get a device ID, and then you can use that Conditional Access Policy against it.
2:04 So, this one’s going to be a Windows computer. We’re going to go into hardware, Microsoft Entra device ID, and we’re going to copy this over.
2:17 Before I paste this in here, I set up a demo computer. This is just an AzureJoin Windows computer to the Microsoft account.
2:27 You can see if I try to log in to portal.office.com, it’s going to get blocked by the Conditional Access Policy that’s on.
2:38 We’re going to paste this value in, just make sure there’s no spaces before or after this value or it’s not going to work properly.
2:48 If you want to add more devices, you can pretty much easily go into your device list and just copy all the device IDs down.
2:55 You want to make sure this is on OR. And then device ID equals, and then you can keep popping in all the devices that you want to allow on there.
3:00 So we’re going to hit Done. Hit Save. I’ll give that maybe about a minute.
3:11 Sometimes it takes a few minutes or five minutes. I’ve even seen up to 20 minutes for these Conditional Access Policies to go through.
3:20 I know one thing with IT is we’re always doing Zero Trust and Least Privilege, but what Microsoft does seems kind of backwards. We allow every device in the world to connect to our client accounts.
3:34 Now, they’re protected with passwords and multi-factor, but everyone knows these days it’s pretty easy for them to get hacked even if they have multi-factor.
3:43 So what this is going to do is just across the board block everyone from getting in.
3:49 There are a couple of things I’ll show you on there just to make it a little easier to join devices.
3:55 So if we go back to this account, I’m just going to log out to portal.org. Yep, it goes right through now with that device ID in there.
4:09 If in the future you want to add a new device to Intune, by default, it’s going to be blocked.
4:19 There are a couple of different ways to handle that. You could temporarily put this in Report Only, which I probably wouldn’t recommend.
4:26 The other thing you could do is set up IP exclusions for these policies. You could actually call this IP and Device Restriction or have these separated into different policies.
4:40 What you want to do is exclude multi-factor authentication trusted IPs. You can hit Save on there.
4:49 The place where you put your IP addresses is under Named Locations. Again, there are so many different ways to get to this through Entra or Intune.
5:00 We’ve got a multi-conditional access, named locations, configure IPs, and then any static IPs your company has can be added here.
5:17 If you’re using SASE, you could put all those IPs in here too. As long as a new device is on that IP, it could join, and then you can do the device ID exclusion on there too.
5:26 So, I think that’s pretty much everything I wanted to go over. Thanks.
.
Did you enjoy the article above? Did you learn anything new or find it useful? If so, you should also check out the posts below to learn more about similar topics you might find helpful and interesting. While you’re at it, consider sharing this story on your favorite social media platforms to help spread the knowledge and share what you learned with your followers!
The Rise of Reverse Proxy Attacks: How Hackers Bypass Multi-Factor Authentication? In the ever-evolving world of cybersecurity, a new phishing threat has emerged, making it easier for hackers to...
Most people check their bank accounts for large, unusual transactions, but smaller details often go unnoticed. A recent experience reminded me why reviewing every charge is so important. The...
Cybercriminals are constantly evolving their methods, and one particularly dangerous attack vector that has been compromising business emails—even those protected by multi-factor authentication...