Browse all topics
All guidesGlossary

Intune compliance policies and Conditional Access

Combining Intune compliance with Conditional Access gives you device-aware access control — the heart of zero trust.

The combination of Intune compliance policies and Entra ID Conditional Access is the most important integration in the Microsoft 365 security stack. It's how a tenant moves from "anyone with the right password can access anything" to "only verified users on healthy devices can access sensitive apps."

Compliance policies

A compliance policy in Intune defines what "healthy" means for a device. Conditions vary by platform but typically include:

  • OS version at or above a minimum.
  • Disk encryption enabled (BitLocker on Windows, FileVault on Mac).
  • Defender for Endpoint risk score below a threshold.
  • Antivirus running and up to date.
  • No jailbreak/root.
  • Password / PIN required, with minimum complexity.
  • Boot integrity (Secure Boot, TPM).
  • Custom compliance via PowerShell or shell scripts evaluating arbitrary conditions.

When a device is evaluated, it reports its compliance state — Compliant, Not Compliant, In Grace Period, or Unknown — to Entra ID.

Conditional Access consumption

Conditional Access policies can then require a compliant device as a condition for granting access. The classic policy:

For all users, accessing Office 365, require MFA AND a compliant or hybrid-joined device.

The result:

  • A user with the right password but on an unenrolled or non-compliant device is blocked from Office 365.
  • A managed, compliant device sails through.
  • A managed but non-compliant device (e.g., disk encryption disabled, OS out of date) is blocked until remediated.

This is device-aware access control, and it's the heart of practical zero trust.

Grace periods and remediation

Compliance policies support a grace period — for example, 7 days after a device falls out of compliance before Conditional Access kicks in. This avoids the worst-case scenario where a single missed Windows Update locks the user out instantly.

When a user is blocked by non-compliance, Intune shows them a company portal message explaining why and what to fix — usually a self-service action like updating the OS or turning on disk encryption.

Filters and exclusions

Conditional Access filters for devices add another dimension: target specific device groups (corporate-owned vs personal, by platform, by manufacturer). This lets you write more nuanced policies — for example, "require MFA from personal devices, allow corporate compliant devices to bypass MFA on the network."

Common configurations

  • Corporate managed Windows → require compliant device.
  • Corporate managed Mac/Linux → require compliant device.
  • Corporate iOS/Android → require compliant device.
  • Personal phones → require approved client app + app protection policy (not full compliance).
  • Unmanaged browsers → allow with restrictions (no download, no copy/paste from Office on the web).

Best practices

  • Roll out in Report-only mode first to see what would happen.
  • Have a break-glass account excluded from every policy.
  • Communicate clearly to users that compliance affects access.
  • Pair with Defender for Endpoint for richer health signals.

Once this pattern is in place, identity and device together gate every Microsoft 365 sign-in. That's the practical foundation everything else is built on.