CISA.MS.AAD.3.7 - Managed devices SHOULD be required for authentication.
Overview
Managed devices SHOULD be required for authentication.
Rationale: The security risk of an adversary authenticating to the tenant from their own device is reduced by requiring a managed device to authenticate. Managed devices are under the provisioning and control of the agency. OMB-22-09 states, "When authorizing users to access resources, agencies must consider at least one device-level signal alongside identity information about the authenticated user."
Remediation action:
Create a conditional access policy requiring a user's device to be either Microsoft Entra hybrid joined or compliant during authentication. Configure the following policy settings in the new conditional access policy, per the values below:
- In Entra under Protection and Conditional Access, select Policies.
- Click on New policy
- Under New Conditional Access policy, configure the following policy settings in the new conditional access policy, per the values below:
- Users > Include > All users
- Target resources > Cloud apps > All cloud apps
- Access controls > Grant > Grant Access > Require device to be marked as compliant and Require Microsoft Entra hybrid joined device > For multiple controls > Require one of the selected controls
- Click Save.
Related links
- Entra admin center - Conditional Access | Policies
- CISA Strong Authentication & Secure Registration - MS.AAD.3.7v1
- CISA ScubaGear Rego Reference
Test Metadata
| Field | Value |
|---|---|
| Test ID | CISA.MS.AAD.3.7 |
| Severity | High |
| Suite | CISA |
| Category | Entra ID P1 |
| PowerShell test | Test-MtCisaManagedDevice |
| Tags | CISA, CISA.MS.AAD.3.7, Entra ID P1, MS.AAD, MS.AAD.3.7 |
Source
- Pester test:
tests/cisa/entra/Test-MtCisaManagedDevice.Tests.ps1 - PowerShell source:
powershell/public/cisa/entra/Test-MtCisaManagedDevice.ps1