CA: Require compliant or hybrid Azure AD joined device

Hi john66571,

you're definitely on the right track with your Azure AD Conditional Access policy. Here is my summary (analysis) regarding your question, hope it helps:

1. Excluding Certain Apps:
   you're correct about excluding specific applications, such as Intune enrollment, from the policy. Since a device isn't compliant until it's enrolled, blocking such applications during the enrollment process might cause issues. Consider excluding these apps to ensure a smooth onboarding process.
   
   

2. Hybrid Azure AD Join Delay:
   the delay you're experiencing with hybrid Azure AD join is expected. It may take some time for the device state to be updated in Azure AD after a device is hybrid joined.
   
   

3. Excluding Certain Accounts:
   It's a good practice to exclude certain accounts, like cloud-only admins from your Conditional Access policies. This prevents unnecessary restrictions on their access.
   
   

4. Setting the Policy to Report-Only:
   to confirm your settings and understand the potential impact of the Conditional Access policies, you can initially set the policy to Report-only. This way, you can analyze the results and make necessary adjustments before enabling the policy.

Set up device-based Conditional Access policies with Intune - Microsoft Intune | Microsoft Learn

https://practical365.com/azure-active-directory-conditional-access-device-state

Require compliant, hybrid joined devices, or MFA - Microsoft Entra ID | Microsoft Learn

Require administrators use compliant or hybrid joined devices - Microsoft Entra ID | Microsoft Learn