Conditional access blocks unenrolled devices
Demonstrate that conditional access policies are configured and enforced to block access attempts from devices that are not enrolled in the organization's endpoint management system.
Description
What this control does
This control enforces conditional access policies that prevent devices not enrolled in the organization's mobile device management (MDM) or unified endpoint management (UEM) platform from accessing corporate resources such as email, file shares, or SaaS applications. When a user attempts to authenticate from an unenrolled device, the identity provider evaluates device enrollment status and denies access if the device lacks a valid enrollment certificate or trust signal. This reduces the attack surface by ensuring only managed, policy-compliant endpoints can reach sensitive data.
Control objective
What auditing this proves
Demonstrate that conditional access policies are configured and enforced to block access attempts from devices that are not enrolled in the organization's endpoint management system.
Associated risks
Risks this control addresses
- Unauthorized access to corporate data from unmanaged personal devices lacking security controls such as encryption, patching, or antivirus
- Data exfiltration via bring-your-own-device (BYOD) endpoints that bypass data loss prevention and monitoring solutions
- Malware introduction from compromised personal devices that do not receive organizational security updates or threat detection
- Insider threats using shadow IT devices to circumvent logging, audit trails, and access controls applied to managed endpoints
- Compliance violations when regulated data is accessed from devices not subject to organizational security baselines or audit requirements
- Credential harvesting and session hijacking on unmanaged devices lacking multi-factor authentication enforcement or device health attestation
- Lateral movement by attackers who compromise a user's personal device and leverage stolen credentials to access corporate resources without visibility
Testing procedure
How an auditor verifies this control
- Obtain the current conditional access policy configuration export from the identity provider (e.g., Azure AD, Okta, Google Workspace) showing all policies that evaluate device enrollment or compliance status.
- Review each conditional access policy to identify rules that explicitly require device enrollment or compliance state as a condition for granting access to corporate applications and resources.
- Verify that the policies apply to all users or security groups with access to sensitive resources, excluding only justified exceptions documented in change control or exception logs.
- Identify the list of applications and resource types protected by these conditional access policies, confirming coverage includes email, collaboration platforms, file storage, and critical SaaS applications.
- Simulate an access attempt from an unenrolled test device by using a valid user account on a device not registered in the MDM/UEM system, documenting the authentication flow and access denial.
- Review access logs for a sample period (e.g., 30 days) to identify blocked login attempts attributed to device enrollment failures, confirming the policy is actively enforcing blocks.
- Interview IT administrators to confirm the enrollment process, verify there is no documented workaround or backdoor for unenrolled device access, and review any exception approval records.
- Cross-reference the list of enrolled devices in the MDM/UEM console with active user sessions in identity logs to validate that only enrolled devices have successfully authenticated during the sample period.
Where this control is tested