Why Device Trust Is Often Assumed Rather Than Verified

Why Device Trust Is Often Assumed Rather Than Verified

This oversight can quietly increase breach risk for your clients.

As MSPs, we dedicate significant effort to securing identities through MFA, Conditional Access, passwordless authentication, and phishing resistance. These are important advancements.

However, a critical assumption remains prevalent in many environments:

If a user can sign in, their device must be trusted.

In reality, device trust is rarely verified on an ongoing basis. It is often assumed, and attackers are aware of this gap.

The Silent Assumption Most Environments Make

In many Microsoft 365 and Entra ID tenants we onboard, we see the same pattern:

• MFA is enabled
• Conditional Access exists (Plan Your Microsoft Entra Conditional Access Deployment, 2023).
• Devices are “registered” or “joined.”
• Endpoint tools are deployed.

Yet access decisions still rely on one-time trust signals:

• A device was compliant yesterday.
• It was joined months ago.
• It passed checks during enrollment.
• No alerts have fired — yet.

This approach does not establish device trust; it relies on hope.

Why This Assumption Exists (Even in Mature Tenants)

This issue is not due to negligence; it is structural.

1. Device enrollment ≠ ongoing health
   Intune compliance is often evaluated on a schedule , not in real time. (Verifying Device Health at Microsoft with Zero Trust, 2024).
2. Conditional Access policies prioritize identity by default.
   Many policies focus on verifying the user, rather than the device being used for access.
3. Security tooling is siloed.
   Endpoint, identity, and access signals are not always enforced collectively. (Zero Trust identity and device access policies, 2024)
4. “No alerts” is treated as “secure.”
   A lack of alerts is often misinterpreted as confirmation of security. (73% of Security Professionals Say They’ve Missed, Ignored, or Failed to Act on a High Priority Security Alert, 2024)

How Attackers Exploit Assumed Device Trust

Modern attacks often do not require malware or administrative privileges. (FBI & MS-ISAC, 2020)Common real-world paths we see during incident response:

• Stolen session tokens reused from unmanaged or lightly monitored devices.
• Compliant but compromised endpoints continue to pass access checks.
• Personal devices accessing corporate apps via browser sessions
• Dormant devices that were never re-evaluated after posture drift

Once identity is validated, device access is frequently granted without further scrutiny. (Secure Microsoft Entra ID: Real-World Strategies (Part 1), 2025)

Device Trust Should Be an Ongoing Evaluation, Not a One-Time Checkbox

True device trust is not:

• “Is the device enrolled?”
• “Was it compliant at sign-in?”
• “Is it corporate-owned?”

It should be:

• Is the device still healthy?
• Is it still managed?
• Is its risk posture acceptable right now?
• Does this access require a trusted device?

Trust should be continuously validated, rather than permanently granted.

What MSPs Should Be Doing Differently

This is an opportunity for MSPs to significantly reduce risk and differentiate their services.1. Make device trust explicit in Conditional Access

Not every app needs it, but high-risk apps absolutely do.2. Treat browser access as a device decision

If unmanaged devices can access data through a browser, device trust becomes optional, which attackers are likely to exploit. (Managed Devices Not Required for MFA Registration, 2026)3. Align endpoint risk with access

If Defender flags a device, access should be automatically restricted rather than waiting for manual intervention. (Device control policies in Microsoft Defender for Endpoint, 2025)4. Audit “assumed trust” quarterly

Ask:

• Which policies don’t check device state?
• Which apps allow unmanaged access?
• Which devices haven’t been evaluated recently?

Why This Is Important for MSPs, Not Only Security Teams

When a breach happens, clients don’t ask:

“Was MFA enabled?”

They ask:

“How did this device still have access?”

Assumed trust can result in:

• Longer investigations
• Harder explanations
• Increased liability
• Lost client confidence

In contrast, verified trust is measurable, defensible, and auditable.

Final Thought

Device trust is not a product that can simply be enabled.

It is a discipline that requires ongoing enforcement.

MSPs who recognize this will be better positioned to prevent incidents.

Those who do not may find themselves explaining incidents after they occur.

If device trust has not been recently evaluated in your client environments, it is time to reassess this assumption.

Jaspreet Singh — Author at MSPinsights.ca | Founder & CEO, Accelerate IT Services Inc.

References

(2024). Zero Trust identity and device access policies. Microsoft Corporation. https://download.microsoft.com/download/e/d/0/ed03381c-16ce-453e-9c89-c13967819cea/zero-trust-identity-and-device-access-policies.pdf

(2023). Plan Your Microsoft Entra Conditional Access Deployment. Microsoft Learn. https://learn.microsoft.com/en-us/azure/architecture/guide/security/conditional-access-framework

(September 5, 2024). Verifying Device Health at Microsoft with Zero Trust. Microsoft. https://www.microsoft.com/insidetrack/blog/verifying-device-health-at-microsoft-with-zero-trust/

(2024). Zero Trust identity and device access policies. Microsoft. https://download.microsoft.com/download/e/d/0/ed03381c-16ce-453e-9c89-c13967819cea/zero-trust-identity-and-device-access-policies.pdf

(April 16, 2024). 73% of Security Professionals Say They’ve Missed, Ignored or Failed to Act on a High Priority Security Alert. Coro Cybersecurity. https://www.coro.net/press/73-of-security-professionals-say-theyve-missed-ignored-or-failed-to-act-on-a-high-priority-security-alert

(2026). Managed Devices Not Required for MFA Registration. Tenable. https://www.tenable.com/indicators/ioe/entra/MANAGED-DEVICES-NOT-REQUIRED-FOR-MFA-REGISTRATION

(2025). Device control policies in Microsoft Defender for Endpoint. Microsoft Defender for Endpoint | Microsoft Learn. https://learn.microsoft.com/en-us/defender-endpoint/device-control-policies

FBI & MS-ISAC. (December 9, 2020). Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data. CISA. https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-345a

(2025). Secure Microsoft Entra ID: Real-World Strategies (Part 1). https://blog.nviso.eu/2025/09/25/securing-microsoft-entra-id-lessons-from-the-field-part-1/