Protect access to resources using Intune
An important benefit of using Mobile Device Management (MDM) technology, such as Intune, for managing devices is that you can allow access to e-mail and documents only from devices that are managed by MDM and comply with company policy. Company policies can include specifying that user passwords must be complex, local data on devices must be encrypted, the use of multifactor authentication (MFA), and the latest updates are installed. For example, users can access their Exchange Online mailbox from the device that meets company policy, but they can’t read their e-mails from a secondary device that doesn't have the latest updates installed. If all other prerequisites are met, Bob can access their mailbox from their secondary device after they install the latest updates.
You can define company policies by using the Device Security policy in Microsoft 365 or Device Compliance in Intune. You can control access to e-mail, documents, and other cloud apps by using Conditional Access policies. Compliance with company policy is just one criterion that you can evaluate in Conditional Access policy; you can also evaluate sign-in risk, device type, location, and client apps.
If a device isn't enrolled to Intune, its compliance can’t be evaluated, but you can prevent access to mailboxes, documents, and cloud apps from such devices. If a user tries to access their mailbox from such a device, depending on how you set the policy, the user might be blocked from accessing Microsoft 365 resources or redirected to enroll the device to MDM. Alternatively, the user could be granted access, but Microsoft 365 would report a policy violation.