Forum Discussion
Preventing data leaks on non-managed Windows 10 devices
Conditional access is certainly preferred. There can be a lag before the device is considered compliant, so customers will often use a grace period to allow access until that happens. (I think the UI lets you specify a grace period in days, but it is possible to configure one in hours via Graph.)
On the Hybrid Azure AD Join point, if you aren't using ADFS the device will need to connect to the corporate network to locate the SCP that signals the Hybrid AADJ process is needed. After that, the device updates a property on the computer object in AD and then the device object is synced to AAD via AAD Connect (which runs every 30 minutes to do a sync). So this process can take a while. (If you are using ADFS, this can be nearly instantaneous.)
I'm not sure on the Teams/SharePoint items, probably best to open a case via the Intune "Help and support" node to discuss those further.
Thanks very much for your reply Michael Niehaus. That's useful to know about the grace period option for Intune compliance. I'm having a bit of trouble finding how to configure this in hours using MS Graph but I'll keep looking.
Re the Conditional Access issues affecting the usability of Teams, we raised with MS Support about the issues with Forms in tabs and SharePoint URLs in Teams and they pointed us to 2 known issues:
these could still be found at the Teams known issues site in Jan 2020 and Feb 2020 https://docs.microsoft.com/en-us/MicrosoftTeams/known-issues
This is a blocker in us getting going with Intune and Autopilot right now as even in our limited roll out to one region it's caused a lot of helpdesk tickets.
Thanks,
Heybobby
