Rollout Conditional Access with device state and application compliance controls

Implementation Effort: High – Requires policy setup and integration with Intune. User Impact: High – Users may need to enroll devices or use compliant apps.

Overview

Rolling out Conditional Access with device state and application compliance controls ensures that only managed and compliant devices or protected apps can access corporate resources. This aligns with the Zero Trust principles of Verify Explicitly—access decisions are based on real-time signals from device compliance and app protection policies—and Use Least Privilege Access by limiting access to trusted endpoints. Device compliance is evaluated using Microsoft Intune, while app compliance can be enforced through app protection policies or management requirements. Without this enforcement, threat actors can use unmanaged, jailbroken or compromised devices and unsanctioned apps to exfiltrate sensitive data or persist in the environment without detection.

Reference

• Use Conditional Access with Microsoft Intune compliance policies
• Set up device-based Conditional Access policies with Intune
• App protection policies overview
• Use app-based Conditional Access policies with Intune
• Grant controls in Conditional Access policy
• Manage device identities in Microsoft Entra