@Grant Thanks for posting in our Q&A.
For conditional access policy deployment, we can refer to the following article:
https://learn.microsoft.com/en-us/mem/intune/protect/create-conditional-access-intune#create-the-conditional-access-policy
For the scenario you want, I will clarify the settings in the conditional access policy. It is suggested to try to configure the following settings:
- Select "all users" in Users or workload identities
- Add "office 365" in Cloud apps or actions
- Select the device platforms(for example: android) you want in Conditions' Device platform and select both "Browser" and "Mobile apps and desktop clients" in Conditions'Client apps.
- Select which requirement the end users need to meet in grant access.(for example: Require device to be marked as compliant)
- Set "Enable policy" to "On".
I just describe the example. When a user signs in a office 365 app on the compliant android device, it will access successfully. However, when the android device is not compliant, it will block the access.
Hope it will help.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.