Build resilience with device states

By enabling device states with Microsoft Entra ID, administrators can author Conditional Access policies that control access to applications based on device state. Enabling device states satisfies strong authentication requirements for resource access, reduces multifactor authentication requests, and improves resiliency.

The following flow chart presents ways to onboard devices in Microsoft Entra ID that enable device states. You can use more than one in your organization.

flow chart for choosing device states

When you use device states, in most cases users will experience single sign-on to resources through a Primary Refresh Token (PRT). The PRT contains claims about the user and the device. You can use these claims to get authentication tokens to access applications from the device. The PRT is valid for 14 days and is continuously renewed as long as the user actively uses the device, providing users a resilient experience. For more information about how a PRT can get multifactor authentication claims, see When does a PRT get an MFA claim.

How do device states help?

When a PRT requests access to an application, its device, session, and MFA claims are trusted by Microsoft Entra ID. When administrators create policies that require either a device-based control or a multifactor authentication control, then the policy requirement can be met through its device state without attempting MFA. Users won't see more MFA prompts on the same device. This increases resilience to a disruption of the Microsoft Entra multifactor authentication service or dependencies such as local telecom providers.

How do I implement device states?

  • Enable Microsoft Entra hybrid joined and Microsoft Entra join for company-owned Windows devices and require they be joined, if possible. If not possible, require they be registered. If there are older versions of Windows in your organization, upgrade those devices to use Windows 10.
  • Standardize user browser access to use either Microsoft Edge or Google Chrome with supported extensions that enable seamless SSO to web applications using the PRT.
  • For personal or company-owned iOS and Android devices, deploy the Microsoft Authenticator App. In addition to MFA and password-less sign-in capabilities, the Microsoft Authenticator app enables single sign-on across native applications through brokered authentication with fewer authentication prompts for end users.
  • For personal or company-owned iOS and Android devices, use mobile application management to securely access company resources with fewer authentication requests.
  • For macOS devices, use the Microsoft Enterprise SSO plug-in for Apple devices (preview) to register the device and provide SSO across browser and native Microsoft Entra applications. Then, based on your environment, follow the steps specific to Microsoft Intune or Jamf Pro.

Next steps

Resilience resources for administrators and architects

Resilience resources for developers