Trusted Devices

Why Trusted Devices Matter for AiTM

AiTM attacks rely on relaying a victim’s session through an attacker’s server.
When device trust is enforced:

• The attacker’s machine cannot meet device compliance or trust requirements.

• The authentication request fails before the attacker can capture a usable session.

• Even if credentials or MFA approvals are entered, the attacker cannot satisfy the device policy, stopping the attack.

Trusted devices add an additional gate that AiTM infrastructures cannot bypass.

Types of Trusted Devices

Microsoft environments support several options for establishing device trust. Each signals to Entra ID that the device belongs to your organization and meets required security standards.

1. Intune-Compliant Devices

Devices managed through Microsoft Intune can be evaluated for compliance based on your defined policies, such as:

• OS version

• Encryption status

• Patch levels

• Security settings

• Threat protection status

Only devices that pass compliance checks can authenticate.

Benefit:

Attackers cannot make their AiTM server appear “compliant,” so authentication is blocked.

2. Hybrid Azure AD Joined Devices

These devices are domain-joined and automatically registered with Entra ID.

They provide:

• A strong trust relationship with your on-premises Active Directory

• Verified device identity

• Integration with Conditional Access policies

Benefit:

Authentication attempts coming from attacker infrastructure cannot present a hybrid-joined device identity, stopping the login flow.

3. Entra ID Device Requirements

You can enforce device-based access controls through Conditional Access, such as:

• Require device to be marked as compliant

• Require Microsoft Entra joined or hybrid joined device

These requirements ensure users authenticate only from a trusted device context.

Benefit:

Even if an attacker intercepts the session, the login cannot continue without a trusted device signal.