How to Set Up Conditional Access with Microsoft Intune

Conditional Access with Microsoft Intune creates a powerful Zero Trust security model, ensuring that only trusted users on compliant devices can access your organization's cloud resources. This guide covers configuring Conditional Access policies that leverage Intune device compliance to protect Microsoft 365 and other cloud applications.

Overview

Conditional Access acts as the decision engine that evaluates multiple signals before granting access:

User Request → Conditional Access Evaluates:
├── User identity (who is requesting?)
├── Device compliance (is the device secure?)
├── Location (where is the request from?)
├── Application (what are they accessing?)
├── Risk level (are there suspicious signals?)
└── Grant/Block Decision

Prerequisites

Before configuring Conditional Access with Intune:

Licensing Requirements:

• Microsoft Intune license
• Azure AD Premium P1 (minimum) - included with Microsoft 365 E3, Business Premium
• Azure AD Premium P2 (for risk-based policies) - included with Microsoft 365 E5

Administrative Access:

• Global Administrator, Security Administrator, or Conditional Access Administrator role
• Intune Administrator role (for compliance policies)

Technical Requirements:

• Devices enrolled in Microsoft Intune
• Compliance policies configured and assigned
• Azure AD hybrid join or Azure AD join configured (for Windows)
• Company Portal installed (for mobile devices)

Recommended Preparation:

• Create emergency access ("break glass") accounts
• Configure Intune compliance policies
• Document current access patterns
• Identify pilot user group

Step 1: Verify Intune Compliance Policies

Before creating Conditional Access policies, ensure compliance policies are in place.

Review Existing Compliance Policies

1. Sign in to the Microsoft Intune admin center: https://intune.microsoft.com

2. Navigate to Devices > Compliance > Policies

3. Verify you have policies for each platform:

   • Windows 10 and later
   • macOS
   • iOS/iPadOS
   • Android Enterprise

4. Click on each policy to verify:

   • Assignments: Appropriate groups targeted
   • Compliance status: View how many devices are compliant

Verify Device Compliance Status

1. Navigate to Devices > All devices

2. Review the Compliance column:

   • Compliant: Device meets all requirements
   • Not compliant: Device fails one or more requirements
   • In grace period: Device has time to remediate
   • Not evaluated: No policy assigned

3. Address compliance issues before enabling Conditional Access:

   • Click on non-compliant devices
   • Review Device compliance > Per-setting status
   • Help users remediate issues

Step 2: Create Emergency Access Accounts

Emergency access accounts ensure you can access Azure AD if Conditional Access misconfiguration locks out administrators.

Configure Break Glass Accounts

1. Navigate to Azure portal: https://portal.azure.com

2. Go to Azure Active Directory > Users > New user

3. Create two emergency access accounts:

4. Important configurations:

   • Disable MFA for these accounts
   • Store credentials in separate secure locations (physical safe, etc.)
   • Do not use these accounts for daily operations
   • Monitor sign-in logs for any use

5. Create an Azure AD group for emergency accounts:

   • Name: "Emergency Access Accounts"
   • Add both break glass accounts
   • This group will be excluded from all Conditional Access policies

Step 3: Configure Named Locations

Named locations define trusted networks that may have different access requirements.

Create Trusted Network Locations

1. Navigate to Microsoft Entra admin center: https://entra.microsoft.com

2. Go to Protection > Conditional Access > Named locations

3. Click IP ranges location to create a trusted location:

Example IP ranges:

• 203.0.113.0/24 (Corporate office)
• 198.51.100.0/24 (Branch office)

4. Click Create

5. Repeat for additional locations (branch offices, VPN exit points)

Create Country-Based Locations

1. Click Countries location

2. Configure:

   • Name: "Allowed Countries"
   • Determine location by: IP address (Azure AD default)
   • Select allowed countries/regions

3. Click Create

This can be used to block access from unexpected countries.

Step 4: Create Conditional Access Policies

Create policies that require device compliance for accessing cloud resources.

Policy 1: Require Compliant Device for Microsoft 365

This fundamental policy ensures only compliant devices access Microsoft 365.

1. Navigate to Protection > Conditional Access > Policies

2. Click New policy

3. Name: "CA001 - Require Compliant Device for Microsoft 365"

Configure Users:

4. Under Users, click 0 users and groups selected
   • Select All users
   • Under Exclude, click Users and groups
   • Select your "Emergency Access Accounts" group
   • (Optional) Exclude service accounts that need special handling

Configure Target Resources:

5. Under Target resources, click No target resources selected
   • Select Cloud apps
   • Choose Select apps
   • Search for and select:
     • Office 365
     • (Or select individual apps: Exchange Online, SharePoint Online, Teams)
   • Click Select

Configure Conditions:

6. Under Conditions, optionally configure:

   Device platforms:

   • Configure: Yes
   • Include: All platforms (or select specific platforms)

   Locations:

   • Configure: No (apply everywhere) or Yes to exclude trusted locations

   Client apps:

   • Configure: Yes
   • Select: Browser, Mobile apps and desktop clients
   • (Consider blocking legacy authentication separately)

Configure Access Controls:

7. Under Grant, click 0 controls selected
   • Select Grant access
   • Check Require device to be marked as compliant
   • Check Require multifactor authentication (recommended)
   • For multiple controls: Require all the selected controls
   • Click Select

Enable Policy:

8. Under Enable policy, select Report-only (always start here)

9. Click Create

Policy 2: Require MFA from Non-Trusted Locations

Additional protection for access from outside the corporate network.

1. Click New policy

2. Name: "CA002 - Require MFA from Untrusted Locations"

Configure Users:

• All users
• Exclude: Emergency Access Accounts

Configure Target Resources:

• All cloud apps

Configure Conditions:

• Locations:
  • Configure: Yes
  • Include: Any location
  • Exclude: Select trusted locations (Corporate Headquarters, etc.)

Configure Access Controls:

• Grant:
  • Grant access
  • Require multifactor authentication

Enable: Report-only initially

Policy 3: Block Legacy Authentication

Block protocols that don't support modern authentication.

1. Click New policy

2. Name: "CA003 - Block Legacy Authentication"

Configure Users:

• All users
• Exclude: Emergency Access Accounts, service accounts that require legacy auth

Configure Target Resources:

• All cloud apps

Configure Conditions:

• Client apps:
  • Configure: Yes
  • Select only:
    • Exchange ActiveSync clients
    • Other clients

Configure Access Controls:

• Block: Block access

Enable: Report-only, then enable after verification

Policy 4: Require Compliant or Hybrid Azure AD Joined Device

For organizations with hybrid Azure AD environments.

1. Click New policy

2. Name: "CA004 - Require Compliant or Hybrid Azure AD Join"

Configure Users:

• All users
• Exclude: Emergency Access Accounts

Configure Target Resources:

• Select sensitive applications (custom LOB apps, Azure Management)

Configure Conditions:

• Device platforms:
  • Configure: Yes
  • Include: Windows

Configure Access Controls:

• Grant:
  • Grant access
  • Require device to be marked as compliant
  • Require hybrid Azure AD joined device
  • For multiple controls: Require one of the selected controls

Enable: Report-only initially

Policy 5: Block Access from High-Risk Countries

Block access from countries where your organization doesn't operate.

1. Click New policy

2. Name: "CA005 - Block High-Risk Countries"

Configure Users:

• All users
• Exclude: Emergency Access Accounts, traveling users group

Configure Target Resources:

• All cloud apps

Configure Conditions:

• Locations:
  • Configure: Yes
  • Include: All locations
  • Exclude: "Allowed Countries" named location

Configure Access Controls:

• Block: Block access

Enable: Report-only, review sign-in logs carefully before enabling

Step 5: Configure Risk-Based Policies (Azure AD P2)

If you have Azure AD Premium P2, leverage Identity Protection for risk-based policies.

Configure Sign-in Risk Policy

Respond to risky sign-in attempts in real-time.

1. Navigate to Protection > Identity Protection > Sign-in risk policy

   Or create via Conditional Access:

2. Click New policy

3. Name: "CA006 - Require MFA for Medium+ Sign-in Risk"

Configure Users:

• All users
• Exclude: Emergency Access Accounts

Configure Target Resources:

• All cloud apps

Configure Conditions:

• Sign-in risk:
  • Configure: Yes
  • Select: Medium, High

Configure Access Controls:

• Grant:
  • Grant access
  • Require multifactor authentication

Enable: Report-only initially

Configure User Risk Policy

Respond to compromised user accounts.

1. Click New policy

2. Name: "CA007 - Require Secure Password Change for High User Risk"

Configure Users:

• All users
• Exclude: Emergency Access Accounts

Configure Target Resources:

• All cloud apps

Configure Conditions:

• User risk:
  • Configure: Yes
  • Select: High

Configure Access Controls:

• Grant:
  • Grant access
  • Require password change

Enable: Report-only initially

Step 6: Test Policies in Report-Only Mode

Before enabling policies, verify their impact using report-only mode and the What If tool.

Review Sign-in Logs

1. Navigate to Azure AD > Sign-in logs

2. Add filter: Conditional Access = Report-only: Failure

3. Review entries to see which users/devices would be blocked

4. For each entry:

   • Click to expand details
   • Go to Conditional Access tab
   • Review which policies would apply and their results

Use the What If Tool

1. Navigate to Conditional Access > What If

2. Configure the simulation:

   • User: Select a test user
   • Cloud apps: Select target application
   • IP address: Enter test IP
   • Country: Select location
   • Device platform: Select platform
   • Device state: Compliant or Non-compliant
   • Sign-in risk: Select risk level

3. Click What If

4. Review:

   • Policies that will apply: Green checkmarks
   • Policies that will not apply: Gray
   • Grant controls required: What the user must do

5. Test multiple scenarios:

   • Compliant device from corporate network
   • Non-compliant device from corporate network
   • Compliant device from external location
   • Non-compliant device from external location

Monitor for Issues

1. Watch for patterns in report-only failures:

   • Service accounts being blocked
   • Users without compliant devices
   • Unexpected location-based blocks

2. Address issues before enabling:

   • Exclude service accounts or create specific policies
   • Help users achieve device compliance
   • Update named locations as needed

Step 7: Enable Policies Gradually

After testing, enable policies with a phased approach.

Phase 1: IT Pilot (Week 1-2)

1. Create a pilot group of 5-10 IT users

2. For policy "CA001 - Require Compliant Device for Microsoft 365":

   • Edit policy
   • Change Users from "All users" to your IT pilot group
   • Change Enable policy to On
   • Click Save

3. Monitor pilot users for issues:

   • Check sign-in logs for failures
   • Gather feedback on user experience
   • Resolve any problems

Phase 2: Early Adopters (Week 3-4)

1. Expand to early adopter group (25-50 users from various departments)

2. Edit policy:

   • Add early adopter group to assignment
   • (Or switch to "All users" if confident)

3. Continue monitoring and gathering feedback

Phase 3: Organization-Wide (Week 5+)

1. After successful pilot phases:

   • Edit policy
   • Change to All users (keeping exclusions)
   • Monitor closely for first few days

2. Have support team ready to assist users

3. Communicate rollout to organization

Enable Additional Policies

Repeat the phased approach for each additional policy:

1. CA002 - MFA from untrusted locations
2. CA003 - Block legacy authentication
3. CA004 - Require hybrid Azure AD join
4. CA005 - Block high-risk countries
5. CA006/CA007 - Risk-based policies

Step 8: Configure Session Controls (Advanced)

Session controls provide additional protection after initial authentication.

Configure Sign-in Frequency

Force re-authentication after a period of time.

1. Edit or create a new Conditional Access policy

2. Under Session:

   • Sign-in frequency: Configure to On
   • Set duration (e.g., 8 hours, 24 hours)
   • Applies to: Every time

3. Use cases:

   • Sensitive applications requiring frequent re-auth
   • Unmanaged device access with time limits

Configure Persistent Browser Session

Control whether users stay signed in.

1. Under Session:

   • Persistent browser session: Configure to On
   • Set to: Never persistent (or Always persistent)

2. Use cases:

   • Always persistent for trusted devices
   • Never persistent for unmanaged devices

Configure App Enforced Restrictions

Limit capabilities in browser sessions.

1. Under Session:

   • Use app enforced restrictions: On

2. Requires:

   • SharePoint Online limited access policy
   • Or Microsoft Defender for Cloud Apps integration

3. Enables:

   • Block download on unmanaged devices
   • Prevent copy/paste
   • Watermark documents

Troubleshooting

Users Unable to Access Resources

Symptoms: Users report being blocked from Microsoft 365 or other apps.

Diagnosis:

1. Check sign-in logs for the user's failed attempt
2. Review Conditional Access tab in sign-in details
3. Identify which policy blocked access and why

Common Causes and Solutions:

Device Shows Compliant But Access Blocked

Symptoms: Intune shows compliant but Conditional Access blocks.

Diagnosis:

1. Check if device is Azure AD registered/joined:

   • Run dsregcmd /status on Windows
   • Review AzureAdJoined and DomainJoined status

2. Verify device ID matches:

   • Intune device ID
   • Azure AD device ID

Solutions:

• Re-join device to Azure AD
• Wait for compliance status to sync (up to 30 minutes)
• Force sync from Company Portal

Conditional Access Policy Not Applying

Symptoms: Expected policy doesn't appear in sign-in logs.

Diagnosis:

1. Verify policy is Enabled (not Report-only or Off)
2. Check policy assignments:
   • User is in included group
   • User is not in excluded group
3. Verify conditions match:
   • Platform condition
   • Location condition
   • Client app condition

Solutions:

• Review policy configuration
• Use What If tool to verify policy applies
• Check for conflicting policies

MFA Registration Loops

Symptoms: User repeatedly prompted for MFA setup but can't complete.

Diagnosis:

1. Check if MFA registration is blocked by Conditional Access
2. Verify user can access aka.ms/mfasetup

Solution:

• Exclude MFA registration from device compliance requirement:
  • Create policy targeting "Register security information" action
  • Require MFA but not device compliance

Service Account Access Blocked

Symptoms: Automated processes fail due to Conditional Access.

Solutions:

1. Managed identities (preferred): Use Azure managed identities where possible
2. Service principal exemption: Exclude specific service principals
3. Conditional Access exclusion: Add service accounts to exclusion group
4. Named location exemption: Allow from specific IP ranges

Best practice: Document all service account exemptions and review regularly.

Best Practices

Policy Design

1. Always use Report-only first: Never enable policies directly to production
2. Exclude emergency access accounts: From every policy without exception
3. Use groups for assignments: Easier to manage than individual users
4. Layer policies by purpose: Don't create one complex policy, create multiple focused policies
5. Document everything: Keep records of policy logic and exclusions

Naming Convention

Establish a consistent naming convention:

CA[Number] - [Action] [Target] [Condition]

Examples:
CA001 - Require Compliant Device for M365
CA002 - Block Legacy Authentication All Apps
CA003 - Require MFA from External Locations
CA004 - Block High Risk Sign-ins

Regular Maintenance

Security Recommendations

1. Block legacy authentication: Critical for security
2. Require MFA + compliant device: Defense in depth
3. Use risk-based policies: Respond to threats automatically
4. Limit session duration: Reduce window of exposure
5. Monitor continuously: Set up alerts for policy changes

Monitoring and Reporting

Built-in Reports

Access Conditional Access reports:

1. Navigate to Protection > Conditional Access > Insights and reporting

2. Review:

   • Sign-in success vs. failure: Impact of policies
   • Policy impact: Which policies are triggering
   • User impact: Who is being affected

Sign-in Log Analysis

1. Navigate to Azure AD > Sign-in logs

2. Useful filters:

   • Conditional Access: Success, Failure, Report-only
   • Status: Success, Failure, Interrupted
   • Application: Specific app analysis

3. Export logs for detailed analysis

Create Alerts

1. Navigate to Azure AD > Diagnostic settings

2. Configure log export to:

   • Log Analytics workspace
   • Storage account
   • Event hub

3. Create alerts for:

   • High volume of CA failures
   • Emergency account usage
   • Policy configuration changes

Next Steps

After configuring Conditional Access:

1. Enable Identity Protection: Add risk-based policies
2. Configure Microsoft Defender for Cloud Apps: Add session controls
3. Implement Continuous Access Evaluation: Real-time policy enforcement
4. Deploy authentication methods: Passwordless, FIDO2 keys
5. Regular audits: Review and optimize policies

Additional Resources

• Conditional Access Documentation
• Conditional Access Policy Templates
• What If Tool Guide
• Identity Protection Documentation

Need help implementing Conditional Access with Intune? InventiveHQ offers comprehensive Zero Trust security consulting, from policy design to deployment and ongoing management. Contact us for a free consultation.