Conditional Access: Require compliant devices
Organizations who have deployed Microsoft Intune can use the information returned from their devices to identify devices that meet compliance requirements such as:
- Requiring a PIN to unlock
- Requiring device encryption
- Requiring a minimum or maximum operating system version
- Requiring a device is not jailbroken or rooted
This policy compliance information is forwarded to Azure AD where Conditional Access can make decisions to grant or block access to resources.
Create a Conditional Access policy
The following steps will help create a Conditional Access policy to require devices accessing resources be marked as compliant with your organization's Intune compliance policies.
- Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.
- Browse to Azure Active Directory > Conditional Access.
- Select New policy.
- Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
- Under Assignments, select Users and groups
- Under Include, select All users.
- Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
- Select Done.
- Under Cloud apps or actions > Include, select All cloud apps.
- If you must exclude specific applications from your policy, you can choose them from the Exclude tab under Select excluded cloud apps and choose Select.
- Select Done.
- Under Access controls > Grant, select Require device to be marked as compliant.
- Select Select.
- Confirm your settings and set Enable policy to On.
- Select Create to create to enable your policy.