We have company windows devices managed by intune with a compliance policy. I want to prevent non-compliant devices from accessing any application including all Microsoft cloud apps and third-party SaaS apps that we've configured to use AD SSO authentication.
I think I need a conditional access policy with:
- Cloud apps or actions > Include: "All cloud apps"
- Grant > Grant access: "Require device to be marked as compliant"
The things I'm unsure of are:
- whether this will block our third-party SaaS apps using SSO
- whether I need to exclude any apps from the policy to allow new devices to enroll with Intune or devices that become non-compliant to fix their compliance issue (e.g. Microsoft Defender up to date) and re-register as compliant.
Any advice would be much appreciated.
Thanks in advance.