Intune Conditional Access Integration: Complete Guide

Microsoft Entra Conditional Access works with Microsoft Intune to provide an additional layer of security by enforcing access controls based on device compliance status and app protection policies. This integration ensures that only compliant devices and protected apps can access your organization's resources.

Understanding Conditional Access and Intune Integration

Conditional Access is a Microsoft Entra capability that works with Intune to help protect devices. For devices that register with Microsoft Entra ID, Conditional Access policies can use device and compliance details from Intune to enforce access decisions for users and devices.

Key Integration Points

1. Device Compliance: Conditional Access can require devices to be marked as compliant
2. App Protection: Conditional Access can require app protection policies
3. Device Registration: Conditional Access can require devices to be registered or joined
4. Risk Assessment: Conditional Access can use device risk signals from Intune

For an overview, see Learn about Conditional Access and Intune.

Prerequisites

Before integrating Conditional Access with Intune:

1. Microsoft Entra ID P1 or P2: Required for Conditional Access
2. Intune Subscription: Active Intune license
3. Compliance Policies: Create and assign device compliance policies
4. App Protection Policies: Create app protection policies (if using app-based CA)
5. Permissions: Conditional Access Administrator role

Device-Based Conditional Access

Device-based Conditional Access uses device compliance status from Intune to control access to organizational resources.

How It Works

1. Intune evaluates device compliance based on compliance policies
2. Compliance status is reported to Microsoft Entra ID
3. Conditional Access policies check device compliance status
4. Access is granted or blocked based on compliance status

Creating a Device Compliance Conditional Access Policy

Step 1: Create Compliance Policy in Intune

First, create and assign device compliance policies in Intune. See Create a compliance policy in Microsoft Intune.

Important: Without a compliance policy created in Intune, the Conditional Access policy won't function as intended.

Step 2: Create Conditional Access Policy

1. Sign in to the Microsoft Entra admin center as a Conditional Access Administrator
2. Navigate to Entra ID > Conditional Access > Policies
3. Select New policy

Step 3: Configure Policy Settings

Assignments:

• Users or workload identities:
  • Include: Select All users
  • Exclude:
    • Emergency access accounts
    • Directory Synchronization Accounts (if using hybrid identity)

Target resources:

• Resources (formerly cloud apps):
  • Include: Select All resources (formerly 'All cloud apps')

Access controls:

• Grant:
  • Select Require device to be marked as compliant
  • Select Select

Enable policy:

• Set to Report-only initially for testing
• After testing, change to On

Step 4: Test and Enable

1. Test the policy in report-only mode
2. Review policy impact using report-only mode
3. Move Enable policy from Report-only to On

For detailed steps, see Require device compliance with Conditional Access.

Important Considerations

• Enrollment: Users can still enroll devices even with this policy enabled
• Grace Periods: Configure grace periods in compliance policies to prevent immediate lockout
• User Groups: Ensure user groups match between compliance policies and Conditional Access policies
• Testing: Always test in report-only mode first

App-Based Conditional Access

App-based Conditional Access ensures only client apps that support Intune app protection policies can access your online resources.

Creating an App Protection Conditional Access Policy

1. Sign in to the Microsoft Entra admin center
2. Navigate to Entra ID > Conditional Access > Policies
3. Select New policy

Configure:

• Users: Include all users (exclude emergency access accounts)
• Target resources: Select apps to protect (e.g., Exchange Online, SharePoint)
• Access controls:
  • Select Require app protection policy
  • Choose Require one of the selected controls

For guidance, see App-based Conditional Access with Intune.

Common Conditional Access Scenarios

Scenario 1: Require Compliant Devices for All Users

Configuration:

• Users: All users (exclude emergency access)
• Resources: All cloud apps
• Controls: Require device to be marked as compliant

Use Case: Ensure all devices accessing organizational resources meet security requirements.

Scenario 2: Require Compliant Devices for Administrators

Configuration:

• Users: Directory roles (Global Administrator, etc.)
• Resources: All cloud apps
• Controls: Require device to be marked as compliant

Use Case: Enforce stricter security for administrative accounts.

For guidance, see Require a compliant or Microsoft Entra hybrid joined device for administrators.

Scenario 3: Require Compliant Device OR MFA

Configuration:

• Users: All users
• Resources: All cloud apps
• Controls: Require one of:
  • Device to be marked as compliant
  • Microsoft Entra hybrid joined device
  • Multifactor authentication

Use Case: Provide flexibility while maintaining security.

For details, see Require a compliant device, Microsoft Entra hybrid joined device, OR multifactor authentication for all users.

Scenario 4: Block Unknown or Unsupported Platforms

Configuration:

• Users: All users
• Device platforms: Select unsupported platforms
• Access controls: Block

Use Case: Prevent access from unsupported or unknown device platforms.

For guidance, see Block unknown or unsupported device platforms.

Integration with Other Services

Microsoft Defender for Endpoint

Conditional Access can use risk signals from Microsoft Defender for Endpoint:

• High-risk devices can be blocked
• Medium-risk devices can require MFA
• Low-risk devices can access normally

Mobile Threat Defense Partners

Integrate MTD partners with Conditional Access:

• Use threat levels in Conditional Access policies
• Block access from high-risk devices
• Require remediation before access

For information, see Mobile threat defense integration with Intune.

Microsoft Tunnel

Conditional Access works with Microsoft Tunnel:

• Require tunnel connection for access
• Enforce device compliance through tunnel
• Control access to on-premises resources

Best Practices

1. Start with Report-Only Mode

Always test Conditional Access policies in report-only mode:

• Review policy impact
• Identify affected users
• Verify expected behavior
• Adjust policies as needed

2. Exclude Emergency Access Accounts

Always exclude emergency access (break-glass) accounts:

• Prevents lockout scenarios
• Enables recovery from misconfigurations
• Critical for disaster recovery

For guidance, see Manage emergency access accounts in Microsoft Entra ID.

3. Use Grace Periods

Configure grace periods in compliance policies:

• Prevents immediate access loss
• Allows time for remediation
• Improves user experience
• Reduces support tickets

4. Coordinate User Groups

Ensure user groups match between:

• Intune compliance policies
• Conditional Access policies
• App protection policies

5. Monitor Regularly

• Review Conditional Access sign-in logs
• Monitor policy impact
• Check for blocked users
• Review compliance status

6. Document Policies

• Document policy purpose
• Record user groups affected
• Note exceptions and exclusions
• Maintain change history

Troubleshooting

Common Issues

1. Users Blocked Unexpectedly

   • Check device compliance status
   • Verify user group assignments
   • Review Conditional Access policy configuration
   • Check policy evaluation details

2. Compliance Status Not Updating

   • Verify device check-in status
   • Check compliance policy assignments
   • Review compliance policy settings
   • Ensure device is enrolled

3. Policy Not Applying

   • Verify user is in included groups
   • Check user is not in excluded groups
   • Review policy enable status
   • Check policy conditions

Using Troubleshoot Pane

Use Intune's built-in troubleshooting:

1. Go to Troubleshooting + support > Troubleshoot
2. Select user having issues
3. Review device compliance status
4. Check Conditional Access evaluation

For troubleshooting guidance, see Troubleshooting policies and profiles in Microsoft Intune.

Additional Resources

• Learn about Conditional Access and Intune
• Require device compliance with Conditional Access
• App-based Conditional Access with Intune
• Common ways to use Conditional Access with Intune
• Step 4. Require healthy and compliant devices with Intune

Conclusion

Integrating Intune with Conditional Access provides a powerful security framework that ensures only compliant devices and protected apps can access organizational resources. By following these best practices:

✅ Create compliance policies before Conditional Access policies
✅ Test policies in report-only mode first
✅ Exclude emergency access accounts
✅ Use grace periods for better user experience
✅ Monitor and adjust policies regularly

You can establish a robust security posture that protects your organization while maintaining user productivity.

Remember: Conditional Access policies are powerful tools that can lock out users if misconfigured. Always test in report-only mode, exclude emergency access accounts, and coordinate user groups between Intune and Conditional Access policies.