Conditional Access Compliant Device Access CAD013-Selected Grant access for All users when Browser and Modern Auth Clients and Compliant
Introduction
Conditional Access compliant device policies exist to solve a common security challenge. Organizations want employees to access cloud services from anywhere, but they also need assurance that the device being used meets corporate security standards. Without that control, unmanaged or unknown devices could access sensitive applications without the organization knowing whether those systems are secure.
A Conditional Access compliant device policy addresses that risk by tying access decisions to the trustworthiness of the device itself. Instead of focusing only on identity, the policy evaluates whether the device belongs to the organization and meets management requirements. If the device is recognized as trusted, access proceeds. If it is not, the user must meet the required device state before access is allowed.
This policy demonstrates how Conditional Access compliant device design can ensure that access to protected cloud applications is limited to managed or corporate-joined devices while still allowing flexible sign-in experiences through modern authentication methods.
This Policy in One Line
This Conditional Access compliant device policy requires users accessing selected cloud applications through browsers or modern authentication clients to sign in from either a compliant device or a domain-joined device.
What This Conditional Access Policy Does
The intention behind this Conditional Access compliant device policy is to ensure that access to protected applications only occurs from devices that meet organizational security standards. Rather than evaluating only who the user is, the policy evaluates the state of the device used during sign-in.
When a user attempts to access the protected applications, Microsoft Entra ID evaluates several conditions before allowing access. The policy checks how the user is signing in, which application is being accessed, and whether the device meets one of the approved trust states defined by the organization.
Access is granted only when the device satisfies one of the defined device trust conditions. The device must either be recognized as compliant with device management policies or be joined to the organization’s directory environment. This creates a clear boundary between trusted corporate devices and unknown or unmanaged systems.
The result is a security model that aligns identity verification with device trust, which is a central design principle of modern Conditional Access architecture.
Who the Policy Applies To
This Conditional Access compliant device policy applies broadly across the organization’s user population. The configuration includes all users as the primary scope of the policy, meaning that device trust requirements are evaluated for every identity attempting to access the protected applications.
Applying the policy to all users ensures that device security requirements are enforced consistently across the environment. Instead of limiting the protection to specific departments or user groups, the design treats device trust as a universal requirement for accessing the protected resources.
The configuration also includes exclusion groups. Organizations commonly use exclusion groups to support controlled exception management. These groups allow administrators to temporarily bypass a policy for specific users when necessary. For example, an exception may be required during device replacement, troubleshooting, or onboarding scenarios where the required device trust state has not yet been established.
By implementing exclusions through dedicated groups rather than individual user entries, organizations maintain better governance and can support approval workflows or time-based access exceptions while preserving the integrity of the overall Conditional Access design.
What Apps and Services the Policy Protects
This Conditional Access compliant device policy protects a defined set of cloud applications. The configuration explicitly targets several enterprise applications rather than applying the requirement to every service in the environment.
Targeting specific applications is a common Conditional Access design strategy. Security architects often begin by protecting high-value productivity or collaboration platforms that store organizational data. These services typically represent the first layer of protection because they are frequently accessed from a wide range of devices and locations.
When a user attempts to access any of the protected applications, the Conditional Access evaluation process begins. Microsoft Entra ID checks whether the sign-in matches the conditions defined in the policy. If the user meets those conditions, the device state becomes the determining factor for whether access is granted.
By protecting a defined set of applications, the policy ensures that device trust is enforced precisely where it matters most while still allowing organizations to expand protection gradually across their cloud ecosystem.
Platforms, Devices, and Client Apps in Scope
The Conditional Access compliant device policy applies across all device platforms. Instead of restricting the rule to a specific operating system such as Windows, macOS, iOS, or Android, the configuration evaluates access requests regardless of the platform being used.
The policy specifically evaluates two major client access methods. The first is browser-based access, which includes users signing in through web sessions to cloud applications. The second is modern authentication clients, which include mobile applications and desktop applications that use modern authentication protocols.
By including both browsers and modern authentication clients, the policy covers the majority of real-world sign-in scenarios. Users accessing services through web portals, desktop productivity applications, or mobile apps are all evaluated by the same Conditional Access compliant device logic.
This approach ensures that device trust requirements remain consistent regardless of how the user connects to the application. In Conditional Access architecture, consistent evaluation across client types is essential to prevent gaps where unmanaged devices could otherwise bypass security controls.
How Access Is Decided
The core of this Conditional Access compliant device policy lies in the grant control configuration that determines whether access is allowed.
During the sign-in process, Microsoft Entra ID evaluates the device state against two approved trust conditions. Access is permitted when the device meets at least one of these requirements. The device must either be recognized as compliant with organizational device management policies or be joined to the organization’s directory environment.
This configuration uses an either-or evaluation model. In practice, that means a device does not need to satisfy both conditions simultaneously. If the device is compliant, access can proceed. If the device is directory-joined, access can also proceed.
This design allows organizations to support multiple trusted device models simultaneously. Managed devices enrolled in modern device management systems can qualify through compliance status, while traditional corporate machines joined to the directory environment can qualify through their domain-joined state.
The result is a flexible Conditional Access compliant device strategy that accommodates both modern and traditional device management approaches.
What the User Experience Looks Like During Sign-In
From the user’s perspective, the Conditional Access compliant device policy operates quietly in the background during the sign-in process.
When a user signs in to one of the protected applications using a browser or modern authentication client, Microsoft Entra ID evaluates the policy conditions automatically. The user typically experiences this evaluation as part of the normal authentication flow.
If the device already meets one of the required trust states, the sign-in proceeds without interruption. The user continues into the application without noticing that the device compliance requirement has been evaluated.
If the device does not meet the required state, the user is prompted to meet the organizational device requirements before access can proceed. This may involve enrolling the device in management or signing in from a device that is already recognized by the organization.
This user experience reflects the principle that Conditional Access policies should enforce security without unnecessarily disrupting legitimate access.
Why This Policy Matters for Security and the Business
Device trust has become one of the most important pillars of modern identity security. Even when user identities are strongly protected, an unmanaged or compromised device can still introduce risk to organizational data.
The Conditional Access compliant device policy helps mitigate that risk by ensuring that access to important applications occurs only from devices that the organization recognizes and trusts. Devices that are enrolled in management or joined to the organization’s directory environment typically follow security baselines, receive updates, and comply with endpoint security standards.
For the business, this translates into stronger protection for corporate data without restricting where employees can work. Users can still access services remotely or from different locations, but they must do so from devices that meet the organization’s security expectations.
In modern Zero Trust architectures, this alignment between identity verification and device trust is essential for maintaining both security and productivity.
Is This a Foundational or Must-Have Policy?
A Conditional Access compliant device policy like this one is widely considered a foundational control in Microsoft Entra security architectures.
Organizations implementing Conditional Access often begin with device trust requirements because they address one of the most common attack surfaces: unmanaged endpoints accessing cloud services. By requiring devices to be compliant or directory-joined, the organization ensures that endpoints accessing sensitive applications follow defined security standards.
This type of policy also works well alongside other Conditional Access protections such as multifactor authentication, session controls, and risk-based access evaluation. Together, these policies create layered security that evaluates identity, device trust, and access context.
Because device trust sits at the center of endpoint security, policies like this are typically included in baseline Conditional Access frameworks used across many enterprise environments.
Important Design Choices and Things to Notice
Several design decisions in this Conditional Access compliant device policy reflect thoughtful security architecture.
First, the policy targets both browser access and modern authentication clients. This ensures that the device trust requirement applies across the most common ways users access cloud services. Without that coverage, unmanaged devices could potentially bypass the control through alternative client types.
Second, the policy supports two different device trust states. Allowing either compliant devices or directory-joined devices provides flexibility for organizations that operate hybrid environments with both modern device management and traditional directory-managed endpoints.
Third, the policy applies to all device platforms. This removes platform-based gaps and ensures that the same trust principles apply regardless of whether a user signs in from a desktop computer, laptop, or mobile device.
Together, these design choices demonstrate a balanced approach that enforces device trust while supporting diverse enterprise device environments.
Conditional Access Design Principles Behind This Policy
At its core, this Conditional Access compliant device policy reflects several key design principles used in modern identity security.
One principle is device trust enforcement. Rather than assuming all devices are equal, Conditional Access evaluates whether the endpoint itself meets organizational standards before allowing access to sensitive services.
Another principle is broad coverage across sign-in methods. By including browser access and modern authentication clients, the policy ensures consistent enforcement across different application access scenarios.
The policy also demonstrates flexible trust evaluation. Supporting both compliant devices and directory-joined devices allows organizations to accommodate different device management models while still maintaining strong security boundaries.
These principles together align closely with Zero Trust strategies, where access decisions consider identity, device state, and context before granting entry to protected resources.
Final Thoughts
Conditional Access compliant device policies represent one of the most effective ways organizations can ensure that cloud applications are accessed only from trusted endpoints.
By requiring devices to meet either compliance requirements or directory trust, this policy establishes a clear standard for device security before users reach protected applications. The design balances flexibility with strong security by allowing multiple trusted device states while maintaining strict access conditions.
For organizations building a mature Conditional Access framework, policies like this serve as a critical layer in the overall identity security architecture. They ensure that even when users authenticate successfully, the device they use must also meet the organization’s security expectations.
In modern Microsoft Entra environments, combining identity verification with device trust is no longer optional. It is a fundamental step toward securing cloud access in a distributed and device-diverse world.
