Conditional Access Integration
Understanding the Concept
Conditional Access (CA) policies in Azure AD work with Intune device compliance to enforce Zero Trust access control. CA policies evaluate conditions (user, device, location, risk) and grant or block access to cloud applications based on those conditions.
Key CA policy configurations with Intune: Require device compliance (block non-compliant devices), Require approved client app, Require app protection policy (MAM), and Require device to be marked as compliant. These controls ensure only trusted devices access corporate resources.
Common CA scenarios include: block email access from non-compliant devices, require MFA from non-trusted locations, block legacy authentication, require compliant devices for SharePoint access, and restrict access to managed applications only.
Key Points
- CA policies: evaluate user, device, location, and risk conditions
- Require device compliance: only compliant devices access resources
- Require approved client app: restrict to managed applications
- Require app protection policy: ensure MAM policies are applied
- Block legacy authentication protocols that don't support modern auth
- Named locations for geographic-based access control
Why This Matters in Real Organizations
Conditional Access is the enforcement engine of Zero Trust. Without CA policies, compliance policies are informational only — users can still access corporate resources from non-compliant devices. CA makes compliance actionable.
Common Mistakes to Avoid
Interview Tips
- Explain the relationship between Intune compliance and Conditional Access
- Discuss your Zero Trust approach using CA policies
- Describe how you test and roll out CA policies safely
Exam Tips (MD-102)
- Know CA policy components: assignments, conditions, grant controls
- Understand device compliance requirement in CA
- Know the difference between require compliant device vs require app protection
- Understand report-only mode for CA policy testing
Course Complete!
You've finished all lessons