Drive end-user adoption with Conditional Access in Microsoft Intune

Enabling Conditional Access features with Intune, such as blocking email for unenrolled devices, can help drive enrollment and compliance but they are not required for a migration to be successful. Your migration adoption goals and security requirements should dictate the success.

Migration campaign with Conditional Access

Here is a typical approach to enhancing a migration campaign with Conditional Access:

  1. Set Conditional Access rules to be enforced for all users but specifically exclude the users who need to migrate from the old MDM provider. You can create an Azure AD user group with all Conditional Access excluded users.

  2. As users migrate, remove them from the Conditional Access exclusion group.

  3. After migration completes, configure all Conditional Access policies to block by default unless Intune allows access.


  • Provides access control for new user accounts or user account who were not managed by the previous solution.

  • Provides grace period for users of previous solution to migration.

  • Minimizes loss of productivity


  • Users of previous solution could potentially access resources using unmanaged devices until Conditional Access is enabled for those users.

This is one approach among many. You may choose a simpler process that defers all Conditional Access until after every phase has been instructed to enroll, or a stricter process that enforces Conditional Access from the very beginning and requires full compliance for all access.

Task list for Conditional Access

Task 1: Decide how you are going to implement Conditional Access

Common ways to use Conditional Access.

Task 2: Set up Intune Conditional Access

Choose one of the following options:

Next steps

Learn about the typical migration cycle.