IBP – Require Managed Devices

✅ Ensure users can only access Microsoft cloud resources from managed devices (Intune‑compliant or Hybrid AD‑joined).
➡️ Strengthens device trust and aligns to Essential Eight – Maturity Level 2 requirements for secure authentication and device control.

✅ Users: All users
🚫 Exclusions: One exclusion group (commonly used for break‑glass or service accounts)

➡️ All standard users must sign in from a managed device to access cloud resources.

✅ Applications: All cloud applications
✅ Client types: Browser, mobile, desktop, and legacy protocols (if enabled)

➡️ Any sign‑in to any Microsoft cloud app must originate from a compliant or domain‑joined device.

✅ Device requirement:

➡️ Unmanaged, personal, or non‑compliant devices are blocked.

This policy also requires a custom Authentication Strength:

Name: E8‑Authentication Strength‑M2
​Requirement: MFA
​Allowed methods:

➡️ Aligns with Essential Eight Maturity Level 2 by enforcing strong, phishing‑resistant authentication methods.

🚫 Location restrictions
🚫 Platform restrictions
🚫 Device filters
🚫 Session controls
🚫 Risk‑based conditions

➡️ The focus is purely on device trust + secure MFA methods.

❌ Disabled (Report‑Only)
➡️ Currently monitoring only — not actively enforcing.

✅ Aligns with Essential Eight – Maturity Level 2 device and authentication requirements
➡️ Enforces strong MFA methods and managed device access
ℹ️ Supports uplift towards Maturity Level 3 (broader phishing‑resistant authentication)

This Conditional Access policy ensures that:

✅ Every user
✅ Accessing any Microsoft cloud application
✅ Must sign in from a managed device
​and
✅ Must meet a higher‑security MFA standard (E8 M2)

This provides a strong security baseline that prevents sign‑ins from personal or unmanaged devices, reduces identity compromise risk, and supports Essential Eight maturity uplift.