Build resilience with device states

By enabling device states with Azure Active Directory (Azure AD), administrators can author Conditional Access policies that control access to applications based on device state. Enabling device states satisfies strong authentication requirements for resource access, reduces multi-factor authentication (MFA) requests, and improves resiliency.

The following flow chart presents ways to onboard devices in Azure AD that enable device states. You can use more than one in your organization.

flow chart for choosing device states

When you use device states, in most cases users will experience single sign-on to resources through a Primary Refresh Token (PRT). The PRT contains claims about the user and the device. You can use these claims to get authentication tokens to access applications from the device. The PRT is valid for 14 days and is continuously renewed as long as the user actively uses the device, providing users a resilient experience. For more information about how a PRT can get multi-factor authentication claims, see When does a PRT get an MFA claim.

How do device states help?

When a PRT requests access to an application, its device, session, and MFA claims are trusted by Azure AD. When administrators create policies that require either a device-based control or a multi-factor authentication control, then the policy requirement can be met through its device state without attempting MFA. Users won't see more MFA prompts on the same device. This increases resilience to a disruption of the Azure AD Multi-Factor Authentication service or dependencies such as local telecom providers.

How do I implement device states?

  • Enable hybrid Azure AD Joined and Azure AD Join for company-owned Windows devices and require they be joined, if possible. If not possible, require they be registered. If there are older versions of Windows in your organization, upgrade those devices to use Windows 10.
  • Standardize user browser access to use either Microsoft Edge or Google Chrome with supported extensions that enable seamless SSO to web applications using the PRT.
  • For personal or company-owned iOS and Android devices, deploy the Microsoft Authenticator App. In addition to MFA and password-less sign-in capabilities, the Microsoft Authenticator app enables single sign-on across native applications through brokered authentication with fewer authentication prompts for end users.
  • For personal or company-owned iOS and Android devices, use mobile application management to securely access company resources with fewer authentication requests.
  • For macOS devices, use the Microsoft Enterprise SSO plug-in for Apple devices (preview) to register the device and provide SSO across browser and native Azure AD applications. Then, based on your environment, follow the steps specific to Microsoft Intune or Jamf Pro.

Next steps

Resilience resources for administrators and architects

Resilience resources for developers