Setup Intune Policies
Overview
This is a small guide on how to set up and use/debug Conditional Access Policies within Intune.
By using policies, you define what will actually happen with non-compliant devices.
For more information, read the official docs.
Misconfiguring conditional access can keep your users from signing in unintentionally. Relution is not liable for any damages resulting from improper configuration.
Targeting
all cloud appsin thetarget resourceswith strict policies will also block users from registering their devices.
Note
Relution suggests to:
- to start with, either
- using policies in “report-only” mode, instead of directly applying it
- OR have selected users only to begin with to ensure it works as expected
- never select
All cloud appsin thetarget resources. SelectingAll cloud appswith strict policies will block users from being able to register their device. As of today, theMicrosoft Broker appcan’t be selected in theexcludefilter, which always needs to be enabled.- Selecting Office 365 is a good way to start
Example setup
Policies can be configured in Intune > Endpoint security > Conditional Access > Policies.
See the following screenshot as example:
- select the users which should be affected
- select the resources which should be affected
- in this example, we used the teams services
- as a grant, we decided that devices have to be compliant
- for testing purposes, we set the policy to
Report-Only
Security Defaults
Chances are you might receive an error, stating that security defaults must be disabled before you can enable conditional access policies. The official microsoft docs will tell you more about if you should switch to conditional access or not.
If you’re sure to disable them, you can click on disable security defaults, select disabled and My organization is planning to use conditional access.
Debugging
In the Sign-in logs view in Entra/Intune it is possible to see if Conditional Access policies were applied or not.
Additionally, Microsoft offers a What If tool.