CA Platform Bypass Detection [CHK-1181]
This check identifies Conditional Access policies that use platform-based conditions, which can be bypassed through user-agent manipulation. It scans all enabled Conditional Access policies for platform filtering (both included and excluded platforms) and evaluates the associated grant controls — including MFA requirements, compliant device requirements, and block actions.
Policies that target specific platforms only or exclude certain platforms without requiring device compliance are flagged as having bypass risk. Policies configured in the allowed policies whitelist (CHK1181_allowedPolicies) are excluded from reporting.
Rationale
Conditional Access policies that rely on device platform conditions (e.g., targeting only Windows and macOS, or excluding Linux) use the user-agent string reported by the client to determine the platform. This is a client-controlled value that can be trivially spoofed by an attacker. By modifying the user-agent string, an attacker can impersonate a platform that is excluded from the policy or not covered by it, effectively bypassing all controls enforced by that policy.
This bypass technique is well-documented and frequently exploited. For example, a policy that requires MFA only for Windows and macOS devices can be bypassed by an attacker who changes their user-agent to report as a Linux or mobile device. Similarly, a policy that blocks access from certain platforms can be circumvented by spoofing a different platform.
The only reliable mitigation for platform-based bypass is requiring a compliant or domain-joined device, because device compliance is validated server-side and cannot be spoofed through user-agent manipulation. Policies that enforce platform conditions without also requiring device compliance should be reviewed and hardened.
Fix
No automated fix is available for this check.
Manual steps:
- Open the Azure Portal and navigate to Microsoft Entra ID > Protection > Conditional Access.
- Review each policy listed in the check output that has platform-based conditions.
- For policies with bypass risk, consider one of the following mitigations:
- Remove platform conditions and apply the policy to all platforms. This is the most secure approach.
- Add a compliant device requirement to the policy grant controls. This ensures server-side validation regardless of the reported platform.
- Create a complementary policy that covers the remaining platforms to close the gap.
- If a platform-based policy must remain as-is (e.g., for a specific use case), add it to the Allowed Policies whitelist (CHK1181_allowedPolicies) with a documented justification.
- Test changes thoroughly to ensure that legitimate users are not blocked.
Impact
This is a data-only monitoring check that does not create tickets or trigger alerts. It provides security teams with visibility into which Conditional Access policies are vulnerable to platform-based bypass attacks. Addressing these findings by removing platform conditions or adding device compliance requirements closes a common attack vector and strengthens the overall Conditional Access posture.
More Information
- Microsoft: Conditional Access - Device platform condition
- Microsoft: Require compliant or hybrid joined device
- Microsoft: Conditional Access overview