EntraAnalyzer
High

No CA policy requires compliant or hybrid-joined devices

No enabled Conditional Access policy enforces device compliance or hybrid Azure AD join for access.

Category
Authentication
Default severity
High
Rule key
CHECK_CA_DEVICE_COMPLIANCE
Last updated

How to fix it

Create a Conditional Access policy requiring a compliant or hybrid-joined device for access to sensitive applications. This mitigates token theft and access from unmanaged devices.

Required Microsoft Graph permissions

EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:

  • Policy.Read.All

Further reading

Microsoft documentation →

Run this check on your tenant

EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.

Get started — free first scan →