Back to GSO Recommendations

Devices Overview: Unmanaged & Stale Device Exposure Risk

Why this risk matters

Every device that accesses Microsoft 365 data is a potential entry point. When devices are unmanaged, stale, or not covered by compliance policies, the organisation has limited visibility into what is connecting to its environment and no reliable way to enforce security baselines.

Overe surfaces a device posture overview across the tenant, highlighting unmanaged devices, stale device records, and devices not enrolled in Intune. This is not just a hygiene concern — devices accessing corporate data without management controls can carry malware, have unpatched vulnerabilities, lack encryption, or be used by people who should no longer have access.

The problem is compounded when Conditional Access, if not properly configured, allows access from devices that have never been enrolled or that are technically non-compliant. An unmanaged device accessing Exchange, SharePoint, or Teams without restriction is effectively invisible to the organisation's security monitoring.

What happens if this is abused

  • Malware or credential-stealing software on an unmanaged personal device used to access and exfiltrate corporate data
  • Stale device records representing former employee devices still appearing in the directory and potentially retaining access tokens
  • Unmanaged devices bypass Conditional Access controls that would otherwise enforce compliance or block access
  • A device failing compliance checks — no BitLocker, outdated OS, no endpoint protection — continues accessing sensitive data
  • Lost or stolen device with no enforced encryption or remote wipe capability exposes data
  • Shadow IT devices — personal phones, home computers — connecting to corporate resources without visibility or control

When this is expected or acceptable

Not every organisation has full device management in place, and some access from unmanaged devices may be intentional — external contractors, partners with BYOD access, or specific limited-access scenarios.

Unmanaged device access is more acceptable when it is scoped through Conditional Access to restrict what can be done — read-only, browser-only, or specific apps only. Unmanaged access with no restrictions is a different risk profile.

Stale device records are rarely intentional — they are usually the result of devices being replaced without deregistering the old record from Entra ID.

Checks to perform before taking action

Before taking action on flagged devices:

  • Review the list of devices flagged as unmanaged and confirm whether they represent active users or stale records
  • For unmanaged devices with recent activity, identify the user and confirm whether unmanaged access was intentional
  • For stale devices, check the last activity date and confirm whether the device has been decommissioned or replaced
  • Review whether any high-privilege users are accessing the tenant from unmanaged devices
  • Check whether Conditional Access policies restrict what unmanaged devices can do — or whether they have unrestricted access
  • Confirm whether there is an active Intune rollout that explains gaps in enrolment

Safe remediation steps

  1. Use Overe to review the devices overview and identify the most exposed users — those with high data access on unmanaged devices
  2. For stale device records, disable and eventually delete entries once confirmed as decommissioned
  3. For active unmanaged devices, work with users to enrol in Intune where policy allows
  4. For unmanaged devices that cannot be enrolled, restrict access through Conditional Access to browser-only or app-protected access
  5. Prioritise enrolling devices belonging to admin accounts and users with access to sensitive data
  6. Enable remote wipe capability for enrolled devices to reduce impact of loss or theft
  7. Review Conditional Access policies to ensure unenrolled or non-compliant devices are appropriately restricted

Where direct remediation is required, Overe provides links to the appropriate Microsoft admin controls to complete the action safely.

Supporting documentation

Microsoft: What is Microsoft Intune device management - https://learn.microsoft.com/en-us/mem/intune/fundamentals/what-is-device-management

Microsoft: Device compliance policies in Intune - https://learn.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started

Microsoft: Require compliant device in Conditional Access - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-grant

Related risks and follow-on checks

  • Intune policy coverage gaps
  • Conditional Access MFA bypass paths
  • Conditional Access exclusions creating risk
  • Open Defender incidents
TBD CTA