Home

Conditional Access Policy Help

%3CLINGO-SUB%20id%3D%22lingo-sub-749307%22%20slang%3D%22en-US%22%3EConditional%20Access%20Policy%20Help%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-749307%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20currently%20working%20on%20an%20InTune%20Policy%20to%20block%20all%20non-compliant%20devices%2C%20I%20have%20created%20the%20policy%20and%20also%20created%20a%20conditional%20access%20Policy.%3C%2FP%3E%3CP%3EThe%20policies%20are%20applying%20BUT%20you%20can%20still%20access%20data%20from%20the%20corporate%20device.%3C%2FP%3E%3CP%3ECan%20you%20please%20tell%20me%20what%20i%20need%20to%20do%20to%20fix%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20only%20condition%20I%20have%20is%20that%20the%20machine%20is%20marked%20as%20non-compliant%2C%20if%20the%20device%20is%20non-compliant%20then%20the%20device%20is%20blocked.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWithin%20InTune%20the%20device%20has%20been%20marked%20as%20non-compliant%20but%20again%20the%20conditional%20access%20policy%20isnt%20working%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-749307%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-749333%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20Policy%20Help%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-749333%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F374588%22%20target%3D%22_blank%22%3E%40nate009%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20behaviour%20are%20you%20expecting%20when%20a%20device%20fails%20the%20conditional%20access%20check%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHave%20you%20defined%20what%20resources%20should%20be%20blocked%20when%20the%20policy%20is%20triggered%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%2C%3C%2FP%3E%3CP%3EChris%20Jacob%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-749388%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20Policy%20Help%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-749388%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F373956%22%20target%3D%22_blank%22%3E%40cjitsolutions%3C%2FA%3E%26nbsp%3B%20Hi%20Chris%2C%20I%20have%20a%20very%20simple%20policy%20in%20place%20that%20marks%20the%20device%20as%20non-compliant%20if%20the%20OS%20is%20below%20a%20certain%20level.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20tested%20this%20on%20iOS%20and%20Android%20and%20the%20devices%20are%20marked%20as%20non-compliant%20in%20InTune%2C%20from%20there%20i%20have%20logged%20into%20Azure%20and%20created%20a%20conditional%20access%20policy%20which%20looks%20for%20any%20device%20that%20is%20marked%20as%20non-compliant%20and%20blocks%20it.%20From%20my%20understanding%20this%20should%20stop%20the%20device%20from%20getting%20email%20etc%20but%20the%20apps%20still%20work%20fine.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIm%20very%20confused%20as%20to%20what%20ive%20done%20wrong%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-749403%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20Policy%20Help%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-749403%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F374588%22%20target%3D%22_blank%22%3E%40nate009%3C%2FA%3EHi%20Nate%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20may%20not%20have%20done%20anything%20wrong!%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20understanding%20is%20that%20you%20need%20to%20define%20within%20the%20policy%2C%20what%20resources%20will%20be%20blocked%20when%20the%20policy%20is%20triggered%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fcreate-conditional-access-intune%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fcreate-conditional-access-intune%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3ESo%20have%20you%20specified%20that%20the%20o365%20applications%20you%20want%20to%20block%20within%20the%20conditional%20access%20policy%20you%20have%20configured%3F%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3ECheers%2C%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%3EChris%20Jacob%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-750183%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20Policy%20Help%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-750183%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F373956%22%20target%3D%22_blank%22%3E%40cjitsolutions%3C%2FA%3E%26nbsp%3BHi%20Chris%2C%20I%20have%20specified%20that.%20I%20just%20chose%20outlook%20and%20sharepoint%20as%20a%20test%20but%20they%20are%20still%20working%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-750671%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20Policy%20Help%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-750671%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F374588%22%20target%3D%22_blank%22%3E%40nate009%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20I'm%20assuming%20you%20have%20set%20the%20'Grant'%20option%2C%20to%20'Block%20access'%20with%20the%20'Require%20device%20to%20be%20marked%20as%20compliant'%20box%20checked.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20have%20you%20set%20the%20policy%20to%20'On'%20as%20by%20default%20it%20is%20'Off'%20i%20believe.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%2C%3C%2FP%3E%3CP%3EChris%20Jacob%3C%2FP%3E%3C%2FLINGO-BODY%3E
nate009
New Contributor

Hi,

 

I am currently working on an InTune Policy to block all non-compliant devices, I have created the policy and also created a conditional access Policy.

The policies are applying BUT you can still access data from the corporate device.

Can you please tell me what i need to do to fix this?

 

The only condition I have is that the machine is marked as non-compliant, if the device is non-compliant then the device is blocked.

 

Within InTune the device has been marked as non-compliant but again the conditional access policy isnt working

5 Replies

Hi @nate009,

 

What behaviour are you expecting when a device fails the conditional access check?

 

Have you defined what resources should be blocked when the policy is triggered?

 

Cheers,

Chris Jacob

@cjitsolutions  Hi Chris, I have a very simple policy in place that marks the device as non-compliant if the OS is below a certain level.

 

I have tested this on iOS and Android and the devices are marked as non-compliant in InTune, from there i have logged into Azure and created a conditional access policy which looks for any device that is marked as non-compliant and blocks it. From my understanding this should stop the device from getting email etc but the apps still work fine.

 

Im very confused as to what ive done wrong?

 

 

 

 

@nate009Hi Nate,

 

You may not have done anything wrong! 

 

My understanding is that you need to define within the policy, what resources will be blocked when the policy is triggered:

 

https://docs.microsoft.com/en-us/intune/create-conditional-access-intune

 

So have you specified that the o365 applications you want to block within the conditional access policy you have configured?

 

Cheers,

Chris Jacob

 

 

 

 

@cjitsolutions Hi Chris, I have specified that. I just chose outlook and sharepoint as a test but they are still working?

@nate009 

 

And I'm assuming you have set the 'Grant' option, to 'Block access' with the 'Require device to be marked as compliant' box checked.

 

Also, have you set the policy to 'On' as by default it is 'Off' i believe.

 

Cheers,

Chris Jacob

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies