Device-based Conditional Access
With Intune, you can ensure that only devices that are managed and compliant can access services provided by Microsoft 365, such as Exchange Online, Software as a Service (SaaS) apps, and even on-premises apps. It is also possible to set specific requirements, such as that computers must be hybrid Azure AD-joined or require an approved client app, as well as mobile devices, in order to be enrolled in Intune to access services.
Device policies can be configured to enforce device compliance and give administrators visibility on the compliance status of devices that have been enrolled in Intune. This compliance status is passed to Azure AD, which then triggers a Conditional Access policy when users attempt to access resources. The Conditional Access policy either allows or blocks access to resources based on the compliance status of the requesting device.
In the modern workplace, you will increasingly need to consider and plan for the following device types and Conditional Access scenarios:
- Corporate-owned devices, which can include the following:
a. On-premises domain-joined Azure AD
b. Domain-joined Azure AD
c. Domain-joined Azure AD also registered with System Center Configuration Manager
- Bring Your Own Device (BYOD) devices, which can include the following:
Workplace, joined and managed by Intune
Next, let's look at how you can use Conditional Access to create a device-based policy.
Creating a device-based Conditional Access policy
In the following example, we will create a device-based Conditional Access policy to trigger the following conditions and results:
To create the policy, we need to go to the Intune dashboard and select Conditional Access | Policies | New Policy and follow the given steps:
- You will see the following screen. Enter a name for your policy. In this example we will call it Block access to SharePoint Online from iOS, Android, and Windows Phone devices:
- Next, we need to target the users and groups we wish to apply the policy to. In this case, we wish to target two specific users—Jane Bloggs and James Smith. We can achieve this from the Assignments | Users and groups section of the new policy wizard, as shown:
- Once you are happy with your selections, click Select, and then click Done.
- Next, we need to set Cloud apps or actions and choose Office 365 SharePoint Online as the targeted cloud app:
- We are not going to select any user actions (at the time of writing, this is a preview feature), so let's go ahead and click on Select, and then Done once again.
- Now, we need to choose the conditions that will trigger our policy. Under Conditions, we first need to select Device Platforms:
- We need to select Configure, then Select device platforms, and then choose Android, iOS, and Windows Phone. Click on Done, and then Done again.
- Next, under Access Controls, we need to select Grant. In this example, we are going to choose Block access:
- Click Select. This is the final selection for our policy, which should now look as follows:
- In order to enable and apply this policy, select Enable policy and click Create:
- The policy is successfully created and shown in the list of policies, as in the following screenshot:
So, now we can test whether our policy works. To do this, let's see what happens when our user, Jane Bloggs, logs in with her Office 365 ID and tries to access SharePoint Online.
- First, we will try this from an Apple Macintosh device via the web browser. The Conditional Access policy should not block this, which is confirmed when we log in to SharePoint:
- However, if we try the same thing from Jane's Apple iOS device, we get the following result:
So, the policy works exactly how we wish. As you will have noticed from the earlier screenshots, there are many ways that you can tailor assignments and access controls in your Conditional Access policies.