Step 4. Require healthy and compliant devices with Intune
Conditional Access provides additional verification of device status prior to allowing access to a service. Conditional Access doesn’t work unless you specify conditions. In Step 3. Set up compliance policies, you defined compliance policies that specify the minimum requirements a device must meet to access your environment. In this article, you’ll create the corresponding Conditional Access policy in Microsoft Entra ID to require compliant devices. This helps keep your corporate data secure while giving users the ability to work from any device and from any location.
After setting up device compliance policies and assigning these to user groups, Intune lets Microsoft Entra ID know if a device is compliant or not. To use this status as a condition for access, you must work with your Microsoft Entra administrator to create a Conditional Access rule to require compliant PCs and mobile devices.
The recommended Zero Trust identity and device access rule set includes this rule. See Require compliant PCs and mobile devices, as illustrated below.
Be sure to:
- Coordinate the user groups you assigned to your compliance policies with the user groups assigned to the Conditional Access policy.
- Test out your Conditional Access policies using the What If and Audit Mode capabilities before fully assigning the Conditional Access policy. This helps you understand the results of the policy.
- Set a grace period in line with the confidentiality of the data and/or app being accessed.
- Make sure your compliance policies don't interfere with any regulatory or other compliance requirements.
- Understand the device check-in intervals for compliance policies.
- Avoid conflicts between compliance policies and configuration profiles. Understand the outcomes if you choose to.
To troubleshoot device profiles in Intune, including conflicts between policies, see Common questions and answers with device policies and profiles in Microsoft Intune.
Note: If you want to start by requiring compliant PCs, but not mobile devices, see Require compliant PCs (but not phones and tablets)