Compliance and Conditional Access
Key Takeaways
- Intune compliance policies define platform-specific rules that determine whether a managed device is compliant.
- Compliance policy settings are tenant-wide, including the important setting that controls whether devices with no assigned compliance policy are treated as compliant or not compliant.
- Microsoft Entra Conditional Access can require a device to be marked as compliant, but that access decision only works correctly when Intune compliance policies exist and devices can report status.
- Enrollment restrictions prevent devices from enrolling; configuration profiles set device behavior; compliance policies report state; Conditional Access enforces access.
- Broad Conditional Access policies that require compliance can break enrollment flows if you forget emergency access exclusions, staged rollout, and platform-specific exceptions such as the Microsoft Intune cloud app for Android enrollment.
Compliance is the signal; Conditional Access is the gate
Microsoft's Intune compliance documentation defines compliance policies as rules and conditions that evaluate managed device configuration. Microsoft Entra Conditional Access can then use the compliance status as an access signal. MD-102 questions usually test whether you know which service evaluates the device and which service grants or blocks access.
The lifecycle is simple:
- A device enrolls into Intune.
- Intune assigns a platform-specific compliance policy.
- The device checks settings such as OS version, encryption, password, jailbreak/root status, or threat level.
- Intune reports the device as compliant or not compliant.
- Conditional Access evaluates the sign-in and can require the device to be marked as compliant before access is granted.
| Control | Primary job | Example exam clue |
|---|---|---|
| Enrollment restriction | Stop unsupported or personal devices before enrollment | Block personal Android enrollment. |
| Configuration profile | Configure device settings | Require a Wi-Fi profile, Edge setting, or Windows security setting. |
| Compliance policy | Evaluate whether a managed device meets standards | Device must have BitLocker, minimum OS, or no jailbreak/root. |
| Conditional Access policy | Grant, block, or require controls during access | Exchange Online only from compliant devices. |
| App protection policy | Protect organizational data inside supported apps | Allow BYOD access without full device enrollment. |
Compliance policy settings versus compliance policies
Intune has two compliance layers. Compliance policy settings are tenant-wide and affect how compliance behaves for every device. Device compliance policies are platform-specific rule sets assigned to users or devices.
The highest-value tenant setting for MD-102 is Mark devices with no compliance policy assigned as. The default is often permissive in many tenants. If the organization uses Conditional Access to require compliant devices, setting unassigned devices to compliant can create an access gap. A security-focused design sets devices with no compliance policy assigned as not compliant, then makes sure every supported platform has an assigned compliance policy before enforcing Conditional Access.
Device compliance policies are built per platform. Common examples include:
| Platform | Common compliance checks |
|---|---|
| Windows | Minimum OS version, Secure Boot, TPM, BitLocker, Microsoft Defender Antivirus, firewall, password or sign-in requirements. |
| iOS/iPadOS | Minimum OS version, passcode, jailbreak detection, device threat level when integrated with a mobile threat defense provider. |
| Android Enterprise | Minimum OS or security patch level, root detection, device threat level, work profile requirements. |
| macOS | Minimum OS version, password, firewall, encryption, system integrity settings depending on policy capability. |
Compliance policies also include actions for noncompliance. The default action marks the device as noncompliant, and admins can add grace periods or notifications. On the exam, a grace period means access might continue until the deadline expires unless Conditional Access and compliance state already mark the device noncompliant.
Conditional Access requiring compliance
Microsoft's require device compliance with Conditional Access guidance warns that the policy will not function as intended without an Intune compliance policy. That warning is exam-relevant. Do not create a compliant-device Conditional Access policy in isolation.
A strong rollout sequence is:
- Create compliance policies for each supported platform.
- Assign policies to pilot groups and verify devices report status.
- Set the tenant behavior for devices with no assigned compliance policy deliberately.
- Create Conditional Access in report-only or a pilot assignment first.
- Exclude emergency access accounts.
- Target the intended cloud apps and device platforms.
- Use the grant control
Require device to be marked as compliant. - Monitor sign-in logs and compliance reports before expanding.
Be careful with broad policies. If a Conditional Access policy targets All cloud apps, Android, and browsers while requiring compliant devices or blocking access, Android Enterprise setup can be interrupted because authentication during enrollment uses browser-based flows. Microsoft documents that the Microsoft Intune cloud app may need to be excluded for those Android enrollment scenarios.
Exam checklist
- If the question asks how to allow access only from devices that meet standards, combine Intune compliance policy with Conditional Access requiring a compliant device.
- If the question asks how to prevent enrollment, use enrollment restrictions, not compliance.
- If a device has no compliance policy assignment and still gets access, review the tenant compliance setting for unassigned devices.
- If users are locked out right after enforcing compliant-device access, check policy scope, emergency access exclusions, device compliance status, and whether enrollment/authentication apps were unintentionally blocked.
- Treat compliance as a reported state, not a configuration mechanism.
A company wants Exchange Online to be accessible only from enrolled devices that meet security requirements. The endpoint team has not created any Intune compliance policies yet. What should be done before enforcing Conditional Access?
You discover that newly enrolled devices with no assigned compliance policy are still considered compliant and can satisfy a compliant-device Conditional Access policy. Which Intune setting should you review?
A broad Conditional Access policy requires compliant devices for All cloud apps on Android browsers. New Android Enterprise devices fail during enrollment authentication before they can become compliant. What is the most likely policy fix?
An administrator deploys a configuration profile that enables BitLocker on Windows devices. Security also wants SharePoint access blocked when a device is not encrypted. What additional configuration is required?