Manage access to Office 365 services for PCs managed by System Center Configuration Manager

Applies to: System Center Configuration Manager (Current Branch)

Configure conditional access to Office 365 services for PCs managed by Configuration Manager.

Important

Hybrid MDM including on-premises conditional access are deprecated features. For more information, see What is hybrid MDM.

If you use conditional access on devices managed with the Configuration Manager client, to make sure they are still protected, first enable conditional access in Intune for those devices before you migrate. Enable co-management in Configuration Manager, move the compliance policy workload to Intune, and then complete your migration from Intune hybrid to Intune standalone. For more information, see Conditional access with co-management.

For information on configuring conditional access for devices enrolled and managed by Microsoft Intune, see Manage access to services in System Center Configuration Manager. That article also covers devices that are domain joined and not evaluated for compliance.

Note

Configuration Manager doesn't enable this optional feature by default. You must enable this feature before using it. For more information, see Enable optional features from updates.

Supported Services

  • Exchange Online
  • SharePoint Online

Supported PCs

  • Windows 7
  • Windows 8.1
  • Windows 10

Supported Windows Servers

  • Windows Server 2008 R2

  • Windows Server 2012

  • Windows Server 2012 R2

  • Windows Server 2016

    Important

    For Windows Servers that may have multiple users signed in simultaneously, deploy the same conditional access policies to all of these users.

Configure conditional access

To set up conditional access, you must first create a compliance policy and configure conditional access policy. When you configure conditional access policies for PCs, you can require that the PCs be compliant in order to access Exchange Online and SharePoint Online services.

Prerequisites

  • ADFS Sync, and an Office 365 subscription. The Office 365 subscription is for setting up Exchange Online and SharePoint Online.

  • A Microsoft Intune Subscription. The Microsoft Intune Subscription should be configured in Configuration Manager Console. The Intune subscription is used to relay device compliance state to Azure Active Directory and for user licensing.

    The PCs must meet the following requirements:

  • Prerequisites for automatic device registration with Azure Active Directory

    You can register PCs with Azure AD through the compliance policy.

  • Must use Office 2013 or Office 2016 with modern authentication enabled.

    The following steps apply to both Exchange Online and SharePoint Online

Step 1. Configure compliance policy

In the Configuration Manager Console, create a compliance policy with the following rules:

  • Require registration in Azure Active Directory: This rule checks if the user's device is work-place joined to Azure AD, and if not, the device is automatically registered in Azure AD. Automatic registration is only supported on Windows 8.1. For Windows 7 PCs, deploy an MSI to perform the auto registration. For more information, see Automatic device registration with Azure Active Directory

  • All required updates installed with a deadline older than a certain number of days: Specify the value for the grace period from the deployment deadline for required updates on the user's device. Adding this rule also automatically installs any pending required updates. Specify the required updates in the Required automatic updates rule.

  • Require BitLocker drive encryption: This rule checks if the primary drive (for example, C:\) on the device is BitLocker encrypted. If BitLocker encryption is not enabled on the primary device, access to email and SharePoint services is blocked.

  • Require Antimalware: This rule checks if System Center Endpoint Protection or Windows Defender is enabled and running. If it is not enabled, access to email and SharePoint services is blocked.

  • Reported as healthy by Health Attestation Service: This condition includes four subrules to check the device compliance against the device health attestation service. For more information, see Health attestation.

    • Require BitLocker to be enabled on the device
    • Require Secure Boot to be enabled on the device
    • Require Code Integrity to be enabled on the device
    • Require Early Launch Anti-Malware to be enabled on the device

    Tip

    The conditional access criteria for device health attestation was first introduced in version 1710 as a pre-release feature. Beginning with version 1802, this feature is no longer a pre-release feature.

    Note

    Configuration Manager doesn't enable this optional feature by default. You must enable this feature before using it. For more information, see Enable optional features from updates.

Step 2. Evaluate the effect of conditional access

Run the Conditional Access Compliance Report. It can be found in Monitoring workspace under Reports > Compliance and Settings Management. This report displays the compliance status for all devices. Devices reporting as not compliant are blocked from accessing Exchange Online and SharePoint Online.

Configuration Manager console, Monitoring workspace, Reporting, Reports, Compliance and Settings Management: Conditional Access Compliance Report

Configure Active Directory Security Groups

You target conditional access policies to groups of users depending on the policy types. These groups contain the users that the policy targets, or exempt from the policy. When a policy targets a user, each device they use must be compliant in order to access the service.

Active Directory security user groups. These user groups should be synchronized to Azure Active Directory. You can also configure these groups in the Microsoft 365 admin center, or the Intune account portal.

You can specify two group types in each policy. :

  • Targeted groups - User groups to which the policy is applied. The same group should be used both for compliance and conditional access policy.

  • Exempted groups - User groups that are exempt from the policy (optional).
    If a user is in both, they are exempt from the policy.

    Only the groups, which are targeted by the conditional access policy, are evaluated.

Step 3. Create a conditional access policy, for Exchange Online and SharePoint Online

  1. In the Configuration Manager console, click Assets and Compliance.

  2. To create a policy for Exchange Online, select Enable conditional access policy for Exchange Online.

    To create a policy for SharePoint Online, select Enable conditional access policy for Exchange Online.

  3. On the Home tab, in the Links group, click Configure Conditional Access Policy in the Intune Console. You might need to supply the user name and password of the account used to connect Configuration Manager with Intune.

    The Intune admin console opens.

  4. For Exchange Online, in the Microsoft Intune administration console, click Policy > Conditional Access > Exchange Online Policy.

    For SharePoint Online, in the Microsoft Intune administration console, click Policy > Conditional Access > SharePoint Online Policy.

  5. Set the Windows PC requirement toDevices must be compliant option.

  6. Under Targeted Groups, click Modify to select the Azure Active Directory security groups to which the policy applies.

    Note

    The same security user group should be used for deploying compliancy policy and the Targeted Group for conditional access policy.

    Under Exempted Groups, optionally, click Modify to select the Azure Active Directory security groups that are exempt from this policy.

  7. Click Save to create and save the policy

Users view compliance information in Software Center. When blocked due to noncompliance, initiate a new policy evaluation after remediating compliance issues.

See also