Hi,

yes, we use EMS E3 (Intune and AD P1). 

Can you please suggest how to make it work - Steps?

Ideanlly, we want to have a workflow like below.

- Have a policy in place that allows only Azure AD joined machines to access SharePoint Online.

- Only Admins can join machines to Azure AD.

Thanks,

If your machines are AAD joined or registered then you can create a condition access policy that defines the Who-What-How  and grants access for domain joined machines.

Who: What users do you want the policy to apply to or exclude

What: The services you wish for the policy to apply to

How: The method of accessing the service (app or web browser).

I hope that makes sense.

Hi,

Thanks for your reply.

The "Require domain joined" setting doesn't work. It seems it applies to On prem domain joined only.

I am trying to use compliance condition. However, I don't want users to auto enroll. Only admin should be able to enroll.

Thanks.

Hi Christopher,

SharePoint access control did the job! However, I still have following questions/doubts.

1. Why manually created conditional access policies were not working with same settings?

2. Now, since I have this in place & working. How can I restrict only the IT admins to have capability to join Azure AD? A user can still join his home PC to Azure AD and conditional policy will allow him to access SharePoint.

3. How will I make the same working for other apps? e.g. Exchange online.

Many thanks!