Time for another entry in the Keep it Simple with Intune series. In this post, I will show you how to implement your first conditional access rule, allowing you to block or enable access to solutions based on the compliancy of a device.

So in the blog post, I am going to allow or deny access to the Office 365 suite, or should I say Micrsoft 365 Apps suite, based on a device being encrypted or not. If it’s not encrypted then I deny access to Office.

In the MEM Admin Center

In the MEM admin center, note the new URL https://endpoint.microsoft.com/,  select Devices\Conditional Access.

Click the New Policy link.

Give the policy an appropriate Name then click the Users and groups link.

In the Users and groups section, we are going to choose the users or groups which will be tested for conditional access. If adding a group, this will be a group of users. It’s best to be selective here, so instead of this effecting all users, I’m going to choose group of users. I’ve selected Select users and groups and then users and groups. Now click Select to choose the users or groups.

I have a group of users selected, now click Done.

Back at the Assignments section, click Cloud apps or actions. I’m going to deny access to Office 365 apps if not compliant, therefore I need to select Cloud apps in the Select what this policy applies to, and to include Select Apps. In the Select section, I have the ability to choose Office 365 (preview). Select and confirm these choices.

At the Assignments section select Conditions. In here, I’m going to select Device Platforms and apply the policy to any Windows based devices. Click Done to confirm your configuration.

Now in the Access Controls section, I need to define whether I am going to block or grant access. If I am to grant access, under what conditions will I allow this access. As you can see from the screenshot, I will grant access to devices, if they are marked as compliant.

It’s worth setting the Enable Policy setting to Report-only to get data back on the impact of the conditional access policy. You don’t want this to have a negative impact, locking admins out of administering systems for example. When the policy is configured click Create.

You’ll see your new conditional access policy appear next to the default policies.

Next up, we need to create a policy which will check our devices for compliance. If you remember, we’ve set to grant access to Office apps if our devices are marked as compliant. So we need to create a compliance policy to check against. Under Devices, click Compliance policies.

Click Create Policy and in the Platform drop down choose Winows 10 and later. Click Create.

We can now run through the compliance policy wizard. Give the policy a Name and enter an optional Description. Click Next.

In the Compliance Settings section, I have clicked the System Security link and I’m going to set my devices to be Required for Encryption. Click Next. As you can see, there are plenty of options to choose from in this section.

In the Actions for noncompliance section, I have set the action Mark device noncompliant Immediately. Click Next.

In the Assignments section, I have targeted this at a group of devices. You may want to target the check against all Devices. Click Next.

At the Review + create section, we can check the settings that have been applied before clicking the Create button.

On the endpoints

Once the targeted devices have synced in, and the polices are applied, we can test the scenarios to ensure this is working as expected. I’ve also turned off the Report-only setting and enabled the conditional access so you see the result.

I have two users testuser 1 & testuser 3.

  • Testuser 1 has been added to the Conditional Access user group, so the intended effect is that this user will be blocked to use Office if the device it is logged into is not encrypted
  • Testuser 3 is not in the Conditional Access group and therefore will not be impacted by the check and should be allowed into Office regardless as to whether the device is encrypted or not.

On my desktop I’ve run a quick test to check for encryption with the manage-bde -status command. Proof that this device is not encrypted.

When authenticating with Office.com, as testuser1, you can see that the request is denied. Our policies have kicked in and done as intended.

Testuser3 is not in the conditional access group and therefore is still allowed to use Office.

To check what’s happening, take a look under Azure Active Directory>Sign-ins.

Here you can see a failure for the testuser1 and a not applicable for testuser3. When you enable Report-only, this is the place to come and look at the effect of conditional access policy, ensure it’s working how you intended, before enabling.


Now, if I enable encryption on the endpoint, I should be allowed to use the Office suite. Let’s take a look.

With the device encrypted, and synced back into Intune to update its compliance, testuser1 is now able to use Office.

Be sure to take a look at the other blog posts in the series: