This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 19%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETC%3C/text%3E%3C/svg%3E)
I have a simple verification.
Azure AD CA: All User (except admin),All Apps → Device needs to be compliant
Intue Compliance Policy: Defender for Endpoint must be below low
If the risk level is none of Defender, Intune Compliance Policy changes only user to non-compliance.
So, Azure AD CA allows users M365 access.
Defender
]2
Device
User
If the risk level is high of Defender, Intune Compliance Policy changes user and device to non-compliance.
But if Azure AD Device does't change non-compliance(non sync), Azure AD CA allows users M365 access.
But if Azure AD Device changes compliance(sync), Azure AD CA blockes users M365 access.
What does this mean?
What is the relationship between the risk level of defender and the risk level of intune users and devices?
@tarou chabi Thanks for posting in our Q&A.
For the non-compliance in user status, I have noticed that "Devices count" show "2". Please tried to click on this record and check if the user has another non-compliant device.
Based on my understanding, compliance policy is focused on devices, not users. If the device shows non-compliant, conditional policy will block users access M365 in this non-compliant device.
If we don't sync the device manually, intune has a refresh cycle to get the policy automatically. It will re-check the compliance of the devices.
https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thank you for your reply.
For the non-compliance in user status, I have noticed that "Devices count" show "2". Please tried to click on this record and check if the user has another non-compliant device.
Yes, the test user has two device. After, I validate and report the results.
Based on my understanding, compliance policy is focused on devices, not users.
I think so. But, MS says that compliance policy evaluates users. So, compliant users can connect to M365 even if they use the same device. Really??????? At least my verification results are different.
How are user status and device status determined and synced to Azure AD?
@tarou chabi Thanks for your update.
Based on my research, when multiple users sign in the same device, intune evaluates device compliance for multiple times. And one device will shows multiple records with different UPNs under device status.
https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-monitor#drill-down-for-more-details
Based on my understanding, no matter which user logs in, device compliant status will not change. So, conditional access policy checked compliance based on the "device status".
Hello @tarou chabi ,
Based Upon the information provided.
The result of this default is when Intune detects a device isn't compliant, Intune immediately marks the device as noncompliant. After a device is marked as noncompliance, Azure Active Directory (AD) Conditional Access can block the device.
But intune has a refresh cycle to get the policy automatically if the account is connected with the Device itself after a period.
And yes when multiple users sign in the same device, intune will evaluates the device compliance for the multiple times. and this result to the
different UPNs under device status
If no user is signed in to the device, the device with the targeted device compliance policy will send a compliance report back to Intune showing System Account as the user principal name. This happens because a device compliance policy was targeted to either a group of users or devices, and no user was signed into the device at the time the compliance policy was evaluated.
Additionally, if there are multiple users signed into the same device, and coincidentally the device is targeted with a compliance policy that is scoped to cover all users that are currently signed in the device, the compliance report might show the same device multiple times as every user signed into the device has to evaluate the device compliance policy and report it back to Intune.
----------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept as answer--