Device-based Conditional Access

With Intune, you can ensure that only devices that are managed and compliant can access services provided by Microsoft 365, such as Exchange Online, Software as a Service (SaaS) apps, and even on-premises apps. It is also possible to set specific requirements, such as that computers must be hybrid Azure AD-joined or require an approved client app, as well as mobile devices, in order to be enrolled in Intune to access services.

Device policies can be configured to enforce device compliance and give administrators visibility on the compliance status of devices that have been enrolled in Intune. This compliance status is passed to Azure AD, which then triggers a Conditional Access policy when users attempt to access resources. The Conditional Access policy either allows or blocks access to resources based on the compliance status of the requesting device.

In the modern workplace, you will increasingly need to consider and plan for the following device types and Conditional Access scenarios:

• Corporate-owned devices, which can include the following:

  a. On-premises domain-joined Azure AD

  b. Domain-joined Azure AD

  c. Domain-joined Azure AD also registered with System Center Configuration Manager

• Bring Your Own Device (BYOD) devices, which can include the following:

  Workplace, joined and managed by Intune

Next, let's look at how you can use Conditional Access to create a device-based policy.

Creating a device-based Conditional Access policy

In the following example, we will create a device-based Conditional Access policy to trigger the following conditions and results:

To create the policy, we need to go to the Intune dashboard and select Conditional Access | Policies | New Policy and follow the given steps:

1. You will see the following screen. Enter a name for your policy. In this example we will call it Block access to SharePoint Online from iOS, Android, and Windows Phone devices:
   

   Figure 3.8 – New policy creation

2. Next, we need to target the users and groups we wish to apply the policy to. In this case, we wish to target two specific users—Jane Bloggs and James Smith. We can achieve this from the Assignments | Users and groups section of the new policy wizard, as shown:
   

   Figure 3.9 – New policy user and group settings

3. Once you are happy with your selections, click Select, and then click Done.
4. Next, we need to set Cloud apps or actions and choose Office 365 SharePoint Online as the targeted cloud app:
   

   Figure 3.10 – New policy application settings

5. We are not going to select any user actions (at the time of writing, this is a preview feature), so let's go ahead and click on Select, and then Done once again.
6. Now, we need to choose the conditions that will trigger our policy. Under Conditions, we first need to select Device Platforms:
   

   Figure 3.11 – New policy device platforms

7. We need to select Configure, then Select device platforms, and then choose Android, iOS, and Windows Phone. Click on Done, and then Done again.
8. Next, under Access Controls, we need to select Grant. In this example, we are going to choose Block access:
   

   Figure 3.12 – Access controls

9. Click Select. This is the final selection for our policy, which should now look as follows:
   

   Figure 3.13 – Access controls

10. In order to enable and apply this policy, select Enable policy and click Create:
    

    Figure 3.14 – Enabling the policy

11. The policy is successfully created and shown in the list of policies, as in the following screenshot:
    

    Figure 3.15 – List of policies

    So, now we can test whether our policy works. To do this, let's see what happens when our user, Jane Bloggs, logs in with her Office 365 ID and tries to access SharePoint Online.

12. First, we will try this from an Apple Macintosh device via the web browser. The Conditional Access policy should not block this, which is confirmed when we log in to SharePoint:
    

    Figure 3.16 – Access to SharePoint via the macOS web browser

13. However, if we try the same thing from Jane's Apple iOS device, we get the following result:

Figure 3.17 – Access to SharePoint blocked on the iOS device

So, the policy works exactly how we wish. As you will have noticed from the earlier screenshots, there are many ways that you can tailor assignments and access controls in your Conditional Access policies.