Device enrollment using conditional access with Intune

Continue Reading

The power of device-based conditional access

Conditional Access is a security feature that evaluates the compliance status of managed devices before granting access to organizational apps and services. By leveraging Microsoft Intune device compliance policies, you can ensure that only devices meeting your security requirements can access sensitive data. This device-based Conditional Access approach effectively minimizes security risks associated with unauthorized access.

In addition to device-based policies, Intune also offers App-based Conditional Access, allowing for even more granular control over application access. You can configure these policies from the Intune admin center, which provides a user-friendly interface for creating and managing Conditional Access policies similar to what you would find in the Azure portal.

Prerequisites for setting up conditional access

Before configuring Conditional Access, ensure that your organization has established Intune device compliance policies. These policies will evaluate whether devices meet specific requirements, such as password strength, encryption status, and OS version. For detailed guidance on setting up these compliance policies, refer to the official documentation on getting started with device compliance policies in Intune.

To create a device-based Conditional Access policy, your account must have one of the following permissions in Microsoft Entra:

• Security administrator
• Conditional Access administrator

Steps to create a device-based conditional access policy

1. 1. Sign in to the Intune Admin Center
   Begin by logging into the Microsoft Intune admin center.
2. 2. Navigate to Conditional Access
   Select Endpoint security > Conditional access > Create new policy to initiate a new Conditional Access policy.
3. 3. Configure the Policy
   The New pane opens, providing the configuration options for your Conditional Access policy.

• Assignments: Under this section, configure Users to select the identities in your directory to which the policy applies. You can include or exclude specific users or groups based on your needs. Testing the policy against a smaller group of users is recommended to ensure it functions as intended.

4. 4. Target Resources
   Next, specify the resources that the policy applies to by selecting Cloud apps. Use the Include tab to identify the apps and services you want to protect. Be cautious when selecting All cloud apps; ensure to exclude your user account or relevant users to avoid being locked out of essential services.
5. 5. Set Conditions
   Configure the Conditions section by selecting the signals you wish to apply. Options include user risk, sign-in risk, device platforms, locations, client apps, and device filters.
6. 6. Access Controls
   Under Access controls, select Grant to specify the access requirements. To incorporate device compliance status into your policy, ensure you choose the option Require device to be marked as compliant. You can also configure additional requirements, such as multi-factor authentication or password changes.
7. 7. Enable the Policy
   Finally, under Enable policy, select On to activate the policy. By default, the policy is set to report-only mode, so ensure to switch it to active.
8. 8. Create the Policy
   Click Create to finalize your Conditional Access policy.

Conclusion

Implementing device enrollment using Conditional Access with Intune is a powerful strategy to enhance your organization’s security posture. By ensuring that only compliant devices can access critical applications and services, you protect sensitive data from unauthorized access. As a Microsoft partner, AVASOFT is committed to helping organizations navigate these technologies, providing support and expertise to enhance your security and compliance strategies effectively.