When working with Intune and Conditional access you need to use an administrator account to make any device compliant. However, is there anyway to use an standard user once the device is register in Azure and marked as compliant? I can only make it work with admin users.
I believe a hybrid environment is needed to accomplish this scenario. At the moment our premise infrastructure has 0 connection to our 365 and Azure AD.
I'm forcing compliance to a few users, however, even if their Windows 10 machines are marked as compliant, these users will only be able to access their data if they're logged in with a local admin account. Otherwise access is denied and the device detected as non compliant.
They don't, we make the computers compliant manually and then hand it to the users (this hasn't been deployed yet, so we are still testing it).
To make the device compliant you need to use an administrator account, a regular user will not be able to go thru the enrolment process to make the PC compliant. However, I do not want the end user to use a device with local admin rights. I can manually make a Windows 10 machine compliant with the Intune policies (making the machine Azure registered and Intune compliant). To do this you need a user with local admin rights.
Once the device is compliant, if I switch to a regular user's account with no local admin rights, it then fails to access data (e.g, logging into Office 365). If I, however, access the device with a user with local admin rights, I'll be able to access the data successfully.
We need to do this manually because our on premise 2012 AD has absolutely no connection to our Azure AD.
If I may ask, do you work on a hybrid environment, on premise or cloud solution (Azure)?