Aug 13 2024 10:32 AM
Hello,
I am testing conditional access controls for all of our corporate apps, in this case the scope is limited to MS365 apps, Slack and Google Workspace. The exact scenario I am trying to address is, when a non compliant device (managed through Intune + compliance policies) attempts to access any corporate application, I want to restrict access until the device is compliant again.
I have created a AD conditional access policy that will "grant access" requiring one of the selected controls to be checked off as "device to be marked as compliant", and the Session condition is set to "Use Conditional Access App Control" with the drop down on Use Custom Policy. I have an access policy in MCAS with the following conditions:
Device Tag != Intune Compliant
App - Manual Onboarding = M365, Google Cloud, Slack
if those conditions check off then the action is set to Block and Alert. In my testing I was able to get these controls to work only for the M365 apps, but I am still able to access and use Google and Slack on the non compliant device. Any feedback on if I am doing anything wrong, or if this is a known limitation would be great. Thanks!
Aug 13 2024 10:52 AM