Conditional access, all cloud apps, device compliance

%3CLINGO-SUB%20id%3D%22lingo-sub-3195357%22%20slang%3D%22en-US%22%3EConditional%20access%2C%20all%20cloud%20apps%2C%20device%20compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3195357%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20company%20windows%20devices%20managed%20by%20intune%20with%20a%20compliance%20policy.%26nbsp%3BI%20want%20to%20prevent%20non-compliant%20devices%20from%20accessing%20any%20application%20including%20all%20Microsoft%20cloud%20apps%20and%20third-party%20SaaS%20apps%20that%20we've%20configured%20to%20use%20AD%20SSO%20authentication.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20I%20need%20a%20conditional%20access%20policy%20with%3A%3C%2FP%3E%3CUL%3E%3CLI%3ECloud%20apps%20or%20actions%20%26gt%3B%20Include%3A%20%22All%20cloud%20apps%22%26nbsp%3B%3C%2FLI%3E%3CLI%3EGrant%20%26gt%3B%20Grant%20access%3A%20%22Require%20device%20to%20be%20marked%20as%20compliant%22%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20things%20I'm%20unsure%20of%20are%3A%3C%2FP%3E%3COL%3E%3CLI%3Ewhether%20this%20will%20block%20our%20third-party%20SaaS%20apps%20using%20SSO%3C%2FLI%3E%3CLI%3E%3CSPAN%3Ewhether%20I%20need%20to%20exclude%20any%20apps%20from%20the%20policy%20to%20allow%20new%20devices%20to%20enroll%20with%20Intune%20or%20devices%20that%20become%20non-compliant%20to%20fix%20their%20compliance%20issue%20(e.g.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EMicrosoft%20Defender%20up%20to%20date)%20and%20re-register%20as%20compliant.%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%3CSPAN%3EAny%20advice%20would%20be%20much%20appreciated.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%20in%20advance.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3195357%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3242789%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20access%2C%20all%20cloud%20apps%2C%20device%20compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3242789%22%20slang%3D%22en-US%22%3EAll%20cloud%20app%20include%20third-party%20SaaS%20apps%20integrated%20with%20Azure%20AD.%20(not%20all%20Microsoft%20apps%20are%20onboarded%20to%20CA%20Policies%2C%20there%20are%20some%20Micro%20services%2C%20which%20does%20not%20cover).%3CBR%20%2F%3EYou%20need%20to%20exclude%20Microsoft%20Intune%20Enrollment%20from%20this%20policy.%3CBR%20%2F%3EI%20suggest%20you%20go%20for%20deployment%20in%20phased%20manner%2C%3CBR%20%2F%3E%3CBR%20%2F%3E-%20In%20the%20fist%20phase%2C%20keep%20the%20policy%20in%20report%20only%20mode%20and%20analysis%20the%20data%2C%20particularly%20who%20are%20blocked%20by%20this%20policy%20and%20understand%20why.%3CBR%20%2F%3EPhase%202%20-%20Enable%20the%20policy%20for%20a%20group%20of%20users%2C%20(mostly%20your%20team%20members%20or%20IT%20Staff)%3CBR%20%2F%3EPhase%203%20-%20Enable%20policy%20for%20larger%20group%3CBR%20%2F%3EPhase%204%20-%20Enable%20for%20all%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi,

 

We have company windows devices managed by intune with a compliance policy. I want to prevent non-compliant devices from accessing any application including all Microsoft cloud apps and third-party SaaS apps that we've configured to use AD SSO authentication.

 

I think I need a conditional access policy with:

  • Cloud apps or actions > Include: "All cloud apps" 
  • Grant > Grant access: "Require device to be marked as compliant"

 

The things I'm unsure of are:

  1. whether this will block our third-party SaaS apps using SSO
  2. whether I need to exclude any apps from the policy to allow new devices to enroll with Intune or devices that become non-compliant to fix their compliance issue (e.g. Microsoft Defender up to date) and re-register as compliant.

Any advice would be much appreciated.

Thanks in advance.

1 Reply
All cloud app include third-party SaaS apps integrated with Azure AD. (not all Microsoft apps are onboarded to CA Policies, there are some Micro services, which does not cover).
You need to exclude Microsoft Intune Enrollment from this policy.
I suggest you go for deployment in phased manner,

- In the fist phase, keep the policy in report only mode and analysis the data, particularly who are blocked by this policy and understand why.
Phase 2 - Enable the policy for a group of users, (mostly your team members or IT Staff)
Phase 3 - Enable policy for larger group
Phase 4 - Enable for all