Using Conditional Access to block “Sign in from another device”
Recently, I ran into an interesting scenario that fits nicely with our ongoing cybersecurity posts. What if your organization is using a non-Intune mobile device management platform and you’d like to use Conditional Access to block access to Office 365 apps on personal mobile devices? Normally this problem would be solved by requiring compliance in the Conditional Access policy (thus forcing the device to enroll, which you could then block enrollment for personal devices using enrollment restrictions). Here’s where you run into issues:
- 3rd party MDM platforms can’t report mobile device compliance (only Win10), so all devices will be blocked
- Conditional Access policies can’t differentiate between users and devices, so you can’t target users but exclude corporate devices
This leaves us with one option – restricting access to O365 apps by location (meaning, trusted IP range: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition#location-condition-configuration). Corporate devices will be on the corporate network, and mobile devices can use a always-on VPN.
Perfect! Since personal device won’t be on the corporate network, they’ll be blocked by Conditional Access (CA). Unless… your users download Company Portal, press the “sign in from another device” option, and sign in from a device on your corporate network.
Then that device will get an access token, and be able to access O365 apps for about an hour (modern auth apps like Teams recheck for location restrictions hourly). Quick aside – this post might also interest you if using ADFS/some hybrid identity, which could similarly block users from logging in on their personal mobile device (even if there’s no IP range based CA) but they can get around with the same “sign in from another device” option.
So what can we do?
First – the “sign in from another device” feature cannot be disabled for the Company Portal app. It’s a feature that’s built into the app itself and not configurable.
You might be thinking – what if I stop all devices from registering in Azure AD, by changing the “Users may register their devices with Azure AD” device setting?
Well, you’re onto something, but I’d absolutely avoid doing that. That setting is required for Hybrid Azure AD Join (Windows 10), which you should be using if you’re using Azure AD at all.
What we need to do is make a Conditional Access policy that blocks Intune and Intune Enrollment for all devices. This will in turn limit the Company Portal experience, and block the user from logging into Teams (or any Office 365 app) even after using Company Portal with “sign in with another device.”
In Microsoft Endpoint Manager, select Endpoint security > Conditional Access > + New policy.
You can target the policy to certain users or groups. Under Cloud apps or actions, select Select apps and select Microsoft Intune and Microsoft Intune Enrollment.
Then, under Conditions, you can select iOS & Android so only mobile devices are targeted. In the screenshot below I only select iOS for my testing.
And finally – under Grant select Block!
Now our users won’t get the token on mobile devices, and won’t have access (well, as soon as you click Enable and Save). Hooray!
Here’s what it will look like after they sign in from another device:
Perfect. Now we’re positive that no one will access our apps on another device.
If you think that someone HAS gotten access, you could run a command that will revoke all Azure AD access tokens from a specified user: https://docs.microsoft.com/en-us/powershell/module/azuread/revoke-azureaduserallrefreshtoken?view=azureadps-2.0. Likewise, if you’re testing this and you had access to Teams and/or other corporate applications before implementing the Conditional Access policy, run this command to ensure that all cached tokens are purged. It will revoke ALL tokens for the user, regardless of device, so the user will need to reauthenticate on other managed devices as well.
Revoke-AzureADUserAllRefreshToken -ObjectId "a1d91a49-70c6-4d1d-a80a-b74c820a9a33"
And that’s all! Happy blocking!