Noncompliant devices shall be blocked from accessing corporate resources
Last updated
Last updated
Device compliance policies allow us to define the necessary settings on a particular platform that meets corporate requirements. Device compliance policies paired with conditional access policies allow us to prevent access to corporate resources on noncompliant devices. Devices that are not in compliance should not have access to corporate resources.
Noncompliant devices shall not be able to access corporate resources
This setting requires at least an Azure AD P1 license which comes standalone or as part of the following bundles:
EMS+E3/E5
Microsoft 365 Business Premium
Microsoft 365 E3
Microsoft 365 E5
To configure a conditional access policy for compliant devices:
Under the assignments section, Include all users. Be sure to Exclude a break-glass account to ensure you never lock yourself out.
Under the Cloud Apps section, include all cloud apps
Do not configure anything in the conditions section
Under the Grant section, choose Require device to be marked as compliant
Any user that is trying to access corporate data on a device not marked as compliant shall receive a message letting them know they are blocked and will be told to contact IT. This includes both devices enrolled into Intune and marked as noncompliant as well as devices that are not enrolled at all into the solution.
Follow the steps to create a conditional access policy