Compliance status of compliance policy

tarou chabi 731 Reputation points

I have a simple verification.

Azure AD CA: All User (except admin),All Apps → Device needs to be compliant
Intue Compliance Policy: Defender for Endpoint must be below low

If the risk level is none of Defender, Intune Compliance Policy changes only user to non-compliance.
So, Azure AD CA allows users M365 access.


If the risk level is high of Defender, Intune Compliance Policy changes user and device to non-compliance.
But if Azure AD Device does't change non-compliance(non sync), Azure AD CA allows users M365 access.
But if Azure AD Device changes compliance(sync), Azure AD CA blockes users M365 access.

What does this mean?
What is the relationship between the risk level of defender and the risk level of intune users and devices?

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,698 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,080 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,713 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Lu Dai-MSFT 28,241 Reputation points

    @tarou chabi Thanks for posting in our Q&A.

    For the non-compliance in user status, I have noticed that "Devices count" show "2". Please tried to click on this record and check if the user has another non-compliant device.

    Based on my understanding, compliance policy is focused on devices, not users. If the device shows non-compliant, conditional policy will block users access M365 in this non-compliant device.

    If we don't sync the device manually, intune has a refresh cycle to get the policy automatically. It will re-check the compliance of the devices.

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Limitless Technology 39,196 Reputation points

    Hello @tarou chabi ,
    Based Upon the information provided.
    The result of this default is when Intune detects a device isn't compliant, Intune immediately marks the device as noncompliant. After a device is marked as noncompliance, Azure Active Directory (AD) Conditional Access can block the device.
    But intune has a refresh cycle to get the policy automatically if the account is connected with the Device itself after a period.
    And yes when multiple users sign in the same device, intune will evaluates the device compliance for the multiple times. and this result to the
    different UPNs under device status
    If no user is signed in to the device, the device with the targeted device compliance policy will send a compliance report back to Intune showing System Account as the user principal name. This happens because a device compliance policy was targeted to either a group of users or devices, and no user was signed into the device at the time the compliance policy was evaluated.

    Additionally, if there are multiple users signed into the same device, and coincidentally the device is targeted with a compliance policy that is scoped to cover all users that are currently signed in the device, the compliance report might show the same device multiple times as every user signed into the device has to evaluate the device compliance policy and report it back to Intune.


    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments