Entra ID - Admin Checklist - Device Trust Configuration

Introduction

• Device Trust is the idea that a user’s device must be secure before accessing an organization’s sensitive resources (such as networks, cloud apps, and data). In this context, “users” generally means an organization’s employees, contractors, or vendors, and “devices” refers to the endpoints they use for work: laptops, desktops, and mobile devices.

How it Works

• Device Trust is designed to block a device from accessing your SaaS apps and other resources if it isn’t running the agent or passing specific requirements.
• These requirements would be defined by the internal admin and are based around specific checks.
• To be a secure device trust solution, it must associate devices with users who work for an organization. Since Device Trust has no knowledge of an organization’s employees or contractors and it can only obtain this information by integrating with Entra ID.
• If a device isn’t compliant, users can’t log in to their cloud apps until they’ve fixed the problem. To reduce the load on IT teams it provides instructions to users on how they can fix the issues to make their device compliant.

Prerequisites

✅ 1Password Extended access management

• To sign up for 1Password Extended Access Management, contact the 1Password Sales team.

✅ Entra id requirements

1. Minimum license: Entra ID P1 License (In the enterprise space, this can be referred to "E3" or "E5".)
2. Minimum Entra ID Administrative Permissions (for implementation and management):
• Conditional Access Administrator
• Authentication Administrator
• Authentication Policy Administrator
• Application Administrator
• Group administrator
3. Enabling the External Authentication Method (EAM) feature during implementation
1. ⚠️ Read the Be Aware section below regarding known limitations of Microsoft's External Authentication Method feature.
2. ⚠️ The External Authentication Method feature from Microsoft does not fully support:
1. Guest-user logins
2. Cross-tenant users (Requires MFA claims from cross-tenant users are trusted)
3. External authentication method for Azure Government Cloud (limited to certain Azure Gov instances)

⚠️ Be Aware

• To integrate with Microsoft Entra, 1Password Device Trust (powered by Kolide) uses a Microsoft feature called External Authentication Method (EAM), which is currently in preview. For this integration, you will need to set up a conditional access policy that requires "multi-factor authentication" as a grant condition for access. However, when this requirement is in place, the users can choose any available multi-factor authentication method during sign in. Unfortunately, Microsoft Authenticator will always appear as the first option during the login process, allowing users to bypass Device Trust if they select it.
• The current limitation is that, to enforce 1Password Device Trust during the login process, an organization must adjust your tenant settings so that users who rely on 1Password Device Trust as an External Authentication Method have it set as their only multi-factor authentication (MFA) option. This limitation arises because, with the current capabilities of External Authentication Methods (still in preview) and Conditional Access Policies, organizations cannot set different MFA requirements for different resources. In other words, if Device Trust is chosen as the sole MFA method, it applies universally—meaning the organization cannot create policies that apply different MFA options or authentication strengths based on specific resources. Additionally, Conditional Access Policies do not currently allow for enforcing a specific External Authentication Method within a policy or setting advanced sequences for different MFA options.

🗂 Documentation and resources

• https://support.1password.com/device-trust-entra/

💬 Keywords

device trust entra, admin checklist