@Steve Stormont , Based as I know, the compliance policy will be applied to the device after it is enrolled. To block device enrollment when the OS version is low, we can try to set the maximum version under Device enrollment restriction. The following link for the reference:
https://learn.microsoft.com/en-us/mem/intune/enrollment/enrollment-restrictions-set#create-a-device-type-restriction
In addition, to block non-compliant device to access the application like Teams, we can create a conditional access policy and configure "Require device to be marked as compliant" in Access controls. To create a conditional access policy, we can read the following article:
https://learn.microsoft.com/en-us/mem/intune/protect/create-conditional-access-intune
The policy will be applied when the user is checked in. If the user is already login the application, the connection will be kept. And the resource is still accessible. For this scenario, we can consider sign-in frequency to force the user to sign in again. To see more details, we can read the following article:
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.