Conditional Access Policy: Allow Only Devices Marked As Compliant to Access Office 365 Applications

Hi modernjc1987,

To achieve the goal of allowing only users with compliant devices to access Office 365 applications and the web version of Outlook, you can leverage Conditional Access policies in Entra ID along with Intune compliance policies.

Set Up Compliance Policies in Intune:
Define compliance policies in Microsoft Intune to evaluate the compliance status of devices. These policies can check various aspects of device security and configuration, such as device encryption, password requirements, OS version, etc.
Configure the compliance policies to mark devices as compliant or non-compliant based on the criteria you specify.
Refer the Microsoft documentation for more information: https://learn.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started#integrate-with-conditional-access

Configure Conditional Access Policies:
Go to the Azure portal (https://entra.microsoft.com) and navigate to Entra ID Admin Center > Protection > Conditional Access.
Create a new Conditional Access policy.
For the "Users and groups" assignment, specify the users or groups to which the policy applies.
For "Cloud apps or actions", select the Office 365 applications (Outlook, SharePoint, OneDrive, Teams, etc.) that you want to protect.
In the "Conditions" section, add the condition "Device platform" and select "All platforms".
Add another condition and choose "Filter for devices". Set the syntax as "device.isCompliant -eq True".
Under Access controls, configure the policy to grant access.
Enable the policy and save your changes.

Test the Configuration:
Test the policy by signing in with a user account on a compliant and non-compliant device.
Users with compliant devices should be able to access Office 365 applications and the web version of Outlook, while users with non-compliant devices should be blocked.