MicrosoftThis is something I want to use, however I am hitting some problems with our Conditional Access policies that require compliance as reported by Intune. Unfortunately it seems that the Conditional Access policy is being assessed for both the client making the Bastion connection AND the server. Since Windows Servers can't be enrolled in Intune there is no way they can be assessed as compliant, so the connection fails. If I exclude the account from the conditional access policy that requires compliance I am able to login to the Azure VM, but that isn't a viable solution.
I thought I could exclude Azure Bastion and Azure Windows VM Sign-In from the CA policy, but you can't exclude apps from polices if you are using All cloud resources, and selecting all the apps except for Bastion and Sign-in isn't very sustainable, especially since Microsoft could well add additional apps in the future which would not be protected by Conditional Access.
I'm rather stuck now. Is this feature incompatible with Conditional Access policies like mine?
