Any Device, Any Network, Anywhere: The Microsoft 365 Default You Should Turn Off First
TL;DR
- By default, Microsoft 365 users can access corporate data from any device, on any network, anywhere in the world.
- A Conditional Access policy that blocks devices which are not Entra Joined or Entra Hybrid Joined is the Layer 1 control every tenant should reach within 90 days of onboarding.
- Requiring a compliant device is the Layer 2 step-up, and it depends on Intune enrollment plus enforced compliance policies.
- As of November 2024, Intune compliance reporting is inconsistent enough that we recommend running compliance policies without sign-in restrictions first to flush out false positives.
- Attackers join devices to a compromised tenant to maintain persistence, which is exactly what a managed-device policy prevents.
Ask a Microsoft 365 tenant three questions. Which devices can reach corporate data? Which networks can they connect from? Which countries are allowed? Out of the box, the answer to all three is the same: any. Any device, any network, anywhere in the world.
No business would run its physical access that way. Nobody hands the office keys to whatever hardware shows up at the door, with no record of who owns it or what is running on it. Yet that is the default posture of every new tenant, and as of November 2024 it stays that way until someone configures a policy. This post walks through the exact Conditional Access policies that restrict access to devices you actually manage.
We covered secure options for personal and BYOD devices in a previous article, along with why educating customers toward managed-device-only access matters. This is the enforcement half of that conversation.
What the default actually exposes
By default a user can sign in from effectively any device. That device could be carrying active malware. It could belong to an attacker who just compromised the user's credentials or pulled off a token theft.
There is also the persistence angle. In a previous article on persistence techniques, we showed that one of the common moves attackers make after initial compromise is joining a device to your network so they can hide as trusted hardware and keep their access. A strong device access policy cuts that move off.
The policy matrix: where managed-device enforcement fits

The goal is to channel customers toward approved, managed devices as the only way to reach corporate resources. The first recommended policy in that progression is requiring a managed and/or compliant device, and it comes in two layers.

Customers sit at different maturity levels, so think of these as tiers you step into rather than a single switch you flip.
Layer 1: Block sign-ins from devices that are not Entra Joined
When you onboard a customer, the target inside the first 90 days is a policy that requires managed devices for sign-in. The mechanism is the device registration type in Microsoft 365: devices should be Entra Joined, or Entra Hybrid Joined if local Active Directory is still in the picture.
Here is the configuration:
- Go to the Entra Admin Center
- Protection > Conditional Access > + New Policy
- Name: Block Unmanaged Devices
- Users > All Users
- Exclude: Break Glass user, plus (for CSPs using GDAP) Guest or external users > Service Provider users
- Target Resources > All Cloud Apps
- Conditions > Filter for Devices > Exclusions > Device Trust Type = Entra Joined or Entra Hybrid Joined
- Grant > Block

Layer 2: Require the device to be compliant
Layer 2 takes the same idea further and demands more maturity. The prerequisites:
- Microsoft Intune is in use and devices are enrolled
- Device compliance policies are configured and enforced for device access
The step up is that devices must also be in a compliant, meaning healthy, state. You decide what compliant means in the Intune policy you create, but at a high level the policy is asking questions like:
- Does the device have AV turned on?
- Is the device at a low risk state in Defender?
- Is the device patched?
The operational cost is real, because you have to:
- Ensure every managed device is enrolled in Intune
- Have an SOP for handling non-compliant devices, since this policy locks users out of their accounts when a device falls out of compliance
The configuration
The prerequisite is creating and enforcing a device compliance policy (opens in new tab). Then:
- Go to the Entra Admin Center
- Protection > Conditional Access > + New Policy
- Name: Require Compliant Device
- Users > All Users
- Exclude: Break Glass user, plus (for CSPs using GDAP) Guest or external users > Service Provider users
- Target Resources > All Cloud Apps
- Grant > Require Device to be marked as Compliant

A word of caution before you enforce
We consult with a lot of MSPs, and as of November 2024 Intune is fairly inconsistent about devices falling out of compliance with no indication of why. In many cases, unenrolling and re-enrolling a device brings it back to compliant. For that reason, we always recommend turning on the device compliance policy without restricting sign-ins first, and watching whether the compliance side throws a pile of false positives. Happy end users and a quiet helpdesk are worth the extra patience.
How do you prove these policies exist across every tenant?
Checking Conditional Access by hand in one tenant is fine. Across thirty tenants it is a day gone. CloudCapsule connects to the tenants you manage and runs a security assessment against the CIS Controls, including a scan for exactly these device access policies.

Start with Layer 1 this week
If you take one action from this post, enforce the Layer 1 Conditional Access policy and end any-device access in your environment. When the device cannot be managed at all, for instance a contractor's personal laptop, the answer is a containment model rather than an exception, and we covered that playbook in our guide to secure personal device access. Registration hardening, the third leg of the standard, is covered in our policies for securing device registration.
Frequently asked questions
Should the policy block unmanaged devices or require compliant devices?
Treat them as stages, not alternatives. Blocking devices that are not Entra Joined or Hybrid Joined is achievable early because it only depends on how devices were registered. Requiring compliance comes later, once Intune enrollment is universal and you have an SOP for handling non-compliant devices.
Who should be excluded from these Conditional Access policies?
Always exclude your break glass account, and for CSPs operating under GDAP, exclude service provider users under the guest and external users section. Without those exclusions you can lock yourself out of the tenant you are trying to protect.
What happens to a user whose device falls out of compliance?
Under the Layer 2 policy they are locked out until the device returns to a compliant state. That is why you need a documented process for non-compliant devices before you enforce the policy, and why we recommend a monitoring-only period first.
Find the tenants still allowing any-device access
These two policies only protect the tenants where they actually exist. CloudCapsule scans every tenant you manage against 250+ CIS-mapped controls in about 60 seconds, including managed-device enforcement, so you know exactly where the gaps are.
Run a free assessment
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


