This chapter covers the deep integration between Microsoft Intune and Conditional Access, a critical synergy for securing access to Microsoft 365 resources. On the MS-102 exam, approximately 15-20% of questions touch on this integration, often focusing on how compliance policies and conditional access policies interact to grant or block access. You will learn the exact mechanisms, default values, and configuration steps that the exam expects you to know, including how device compliance status is evaluated and relayed to Conditional Access.
Jump to a section
Imagine a modern international airport. Conditional Access (CA) is the security checkpoint before the gates. It enforces rules: you must have a valid boarding pass (compliant device), you must pass through a metal detector (multi-factor authentication), and you must be on the approved flight list (user/group membership). If you fail, you are diverted to a secondary screening (block or require additional steps). Intune, on the other hand, is the airline's ground crew that ensures the aircraft is airworthy—it pushes software updates (compliance policies), installs required apps (app protection), and verifies seatbelts are fastened (device health attestation). Once Intune confirms the device is compliant, it issues a digital stamp (compliance status) that the security checkpoint (CA) recognizes as a valid boarding pass. If the device is jailbroken (unapproved modification), Intune revokes the stamp, and CA denies access. The two systems work together: CA defines who can fly and under what conditions, while Intune ensures the plane (device) is safe to board. Without Intune, CA would have no way to verify device health; without CA, Intune's compliance checks would not enforce access decisions.
What Is Intune and Conditional Access Integration?
Microsoft Intune is a cloud-based endpoint management service that enforces device compliance and app protection policies. Conditional Access (CA) is a policy engine that evaluates signals such as user identity, device state, location, and risk to grant or block access to cloud apps. The integration means that CA can use Intune's device compliance status as a signal. For example, a CA policy can require that a device be marked as compliant by Intune before granting access to Exchange Online. Without this integration, CA would have no native understanding of whether a device has the latest security patches or is jailbroken. Intune provides that context.
How It Works Internally
The integration relies on Azure AD device registration and the Microsoft Intune service. When a device is enrolled in Intune, it receives a certificate from Intune's Certificate Authority (CA). The device periodically reports its compliance status to Intune based on compliance policies. These policies check conditions like:
Operating system version (e.g., Windows 10 22H2 or later)
Antivirus status (e.g., Windows Defender is on and up-to-date)
Disk encryption (e.g., BitLocker enabled)
Jailbreak/root detection (for iOS/Android)
Password/PIN requirements (e.g., minimum length 6 characters)
Intune evaluates the device against each policy. If all conditions are met, the device is marked as compliant. This compliance status is stored in Azure AD as a property of the device object. The property is compliant (boolean). Conditional Access policies can reference this property via the grant control "Require device to be marked as compliant."
When a user attempts to access a cloud app, the following flow occurs: 1. User authenticates to Azure AD. 2. Azure AD evaluates the CA policy and checks the device compliance status stored in the device object. 3. If the device is compliant, access is granted (subject to other controls like MFA). 4. If the device is not compliant, access is blocked, or the user is redirected to Intune for remediation (if the CA policy allows it).
Key Components, Values, Defaults, and Timers
Compliance evaluation frequency: Devices check in with Intune every 8 hours by default (configurable via check-in frequency in the enrollment profile). On iOS/iPadOS, it's every 6 hours. On Android, it's every 8 hours.
Grace period: When a device becomes non-compliant, Intune does not immediately revoke compliance. Instead, it starts a grace period (default 30 days) during which the device can remediate. After the grace period expires, the device is marked non-compliant.
Compliance status refresh: The compliance status in Azure AD is updated when Intune processes a check-in. There is no real-time update; the status is as of the last check-in.
Certificate renewal: The device certificate issued by Intune is valid for 1 year by default. If it expires, the device becomes unenrolled and must re-enroll.
Conditional Access policy evaluation: CA evaluates policies at every authentication request. The device compliance status is cached for up to 1 hour, but can be forced to refresh by the user signing out and signing back in.
Configuration and Verification Commands
To configure Intune compliance policies via Microsoft Graph (useful for automation):
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "DeviceManagementConfiguration.ReadWrite.All"
# Create a compliance policy for Windows 10/11
$params = @{
"@odata.type" = "#microsoft.graph.windows10CompliancePolicy"
"displayName" = "Windows Compliance Policy"
"passwordRequired" = $true
"passwordMinimumLength" = 6
"passwordRequiredType" = "deviceDefault"
"osMinimumVersion" = "10.0.19042.0"
"requireBitLocker" = $true
"requireAntivirus" = $true
}
New-MgDeviceManagementCompliancePolicy -BodyParameter $paramsTo create a Conditional Access policy requiring compliant device:
$params = @{
"displayName" = "Require Compliant Device"
"state" = "enabled"
"conditions" = @{
"applications" = @{
"includeApplications" = @("All")
}
"users" = @{
"includeUsers" = @("All")
}
}
"grantControls" = @{
"operator" = "AND"
"builtInControls" = @("compliantDevice")
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $paramsHow It Interacts with Related Technologies
Azure AD Identity Protection: Provides risk signals (user risk, sign-in risk) that can be used in CA policies alongside device compliance. For example, require compliant device AND low sign-in risk.
Microsoft Defender for Endpoint: Can feed device risk scores into Intune compliance policies. If Defender detects a high-severity alert, the device can be marked non-compliant.
App Protection Policies (MAM): For unmanaged devices (BYOD without enrollment), CA can require app protection policies instead of device compliance. This is an alternative integration path.
Windows Autopilot: Automatically enrolls devices into Intune, ensuring they are compliant from the start.
Trap Patterns
Common wrong answers on the exam: - "Compliance status is evaluated in real-time." Reality: It is evaluated at check-in intervals (every 8 hours by default). - "Conditional Access can enforce compliance policies." Reality: CA only checks compliance status; it does not enforce the policies themselves. Intune enforces compliance policies. - "A non-compliant device is immediately blocked." Reality: There is a grace period (default 30 days) before the device is marked non-compliant. - "Device compliance is the only signal for CA." Reality: CA uses many signals (user risk, location, app sensitivity, etc.).
Enroll device in Intune
The user enrolls their device by signing in with their work account in the Company Portal app or during Windows Autopilot. The device receives a unique certificate from Intune's certificate authority (CA) that identifies it. This certificate is stored in the device's certificate store. For iOS, the enrollment profile triggers the installation of a management profile. For Android, a device administrator or Android Enterprise profile is created. The device object is created in Azure AD and linked to the Intune enrollment. The device now appears in the Microsoft Intune admin center under Devices > All devices.
Apply compliance policies
Intune assigns compliance policies to the device based on its group membership. Each policy contains rules like required OS version, password length, encryption status, and antivirus health. The device downloads these policies during its next check-in (typically every 8 hours). The Intune client on the device evaluates the rules against the device's current state. For example, if the policy requires BitLocker, the client checks if BitLocker is enabled and reports the result. The evaluation result is sent back to Intune as a JSON payload containing each rule's status (compliant/non-compliant).
Intune updates compliance status
Intune receives the compliance report and updates the device's compliance status in its database. If all rules are compliant, the device is marked as compliant. If any rule fails, the device is marked as non-compliant. Intune then writes the compliance status to the Azure AD device object via a background synchronization process. This sync occurs within minutes of the compliance evaluation. The Azure AD device object's 'compliant' attribute is set to true or false. Conditional Access policies that reference this attribute will now see the updated value.
User attempts access to cloud app
The user navigates to a cloud app like Exchange Online or SharePoint Online. The app redirects the user to Azure AD for authentication. Azure AD evaluates the Conditional Access policies. The CA policy includes a grant control that requires the device to be marked as compliant. Azure AD reads the device object's 'compliant' attribute. If the device is compliant, the authentication proceeds to the next control (e.g., MFA if required). If the device is non-compliant, Azure AD evaluates the CA policy's session controls. Typically, access is blocked, but the policy may be configured to allow access with a session control like 'Require device to be compliant' with a redirect to Intune for remediation.
Remediation or block
If access is blocked, the user sees a message that their device does not meet compliance requirements. They are often provided a link to the Company Portal app to see the specific non-compliant settings. The user must remediate the issue (e.g., update OS, enable BitLocker). Once fixed, the device must check in with Intune (manual sync in Company Portal or wait for next automatic check-in). Intune re-evaluates compliance and updates the status. The user then retries access. If the grace period has expired, the device is marked non-compliant and access is blocked until remediation. In a 'remediation' session control, the user is allowed access but with limited capabilities until compliance is achieved.
Enterprise Scenario 1: Financial Institution Requiring Device Compliance for Email Access
A bank with 10,000 employees uses Exchange Online. They have a zero-trust policy: email access only from managed, compliant devices. They deploy Intune to manage Windows 10 laptops and iOS phones. Compliance policies require Windows 10 22H2 or later, BitLocker enabled, Windows Defender active, and a password of at least 8 characters. For iOS, they require iOS 16+, passcode of 6 digits, and no jailbreak. A CA policy is created that blocks access for non-compliant devices. In production, they found that users would sometimes delay OS updates, causing non-compliance. They set a grace period of 14 days to allow time for updates. The helpdesk receives calls from users who see the block message. They guide users to the Company Portal to see the specific issue. The bank also uses Defender for Endpoint risk scores: if a device has a high-severity alert, Intune marks it non-compliant, and CA blocks email access until the threat is remediated.
Enterprise Scenario 2: Healthcare Organization Using App Protection Policies for BYOD
A hospital allows nurses to use personal iPhones to access patient records via a mobile app. They cannot enroll personal devices in Intune due to privacy concerns. Instead, they use Intune App Protection Policies (MAM) to control app behavior. They create a CA policy that requires approved client apps and app protection policies. The CA grant control 'Require app protection policy' checks if the app (e.g., Microsoft Outlook) has the MAM policy applied. If the app is not protected, access is blocked. The hospital also uses CA to require MFA for all access. This scenario shows the alternative integration: CA uses app protection status instead of device compliance.
Common Misconfiguration
A common mistake is setting the grace period too long (e.g., 90 days) or forgetting to configure it at all (default 30 days). In a high-security environment, this can leave non-compliant devices with access for too long. Another mistake is not enabling the 'Require device to be marked as compliant' grant control in the CA policy, thinking that enrolling in Intune alone is enough. Enrollment alone does not enforce access control; the CA policy must explicitly require compliance. Also, admins often forget that compliance status is not real-time; a device that was recently compromised may still show as compliant until the next check-in.
MS-102 Objective 2.4: Implement and manage device compliance and conditional access
The exam tests your ability to configure Intune compliance policies and Conditional Access policies that work together. Key objective codes: 2.4.1 (Configure device compliance policies), 2.4.2 (Configure Conditional Access policies), 2.4.3 (Monitor compliance and access).
Most Common Wrong Answers
"Conditional Access policies enforce device compliance." This is false. Conditional Access only checks the compliance status; Intune enforces compliance policies. Candidates confuse the roles.
"Device compliance is evaluated in real-time." False. Evaluation occurs at check-in intervals (every 8 hours default). The exam loves to test this with a scenario where a device becomes non-compliant and the question asks when access is blocked.
"You must configure both Intune compliance and CA policy to block access." Actually, you can block access using only CA with other signals, but to use device compliance as a signal, you need both. However, if you only configure Intune compliance without a CA policy, access is not blocked. The exam tests that both are required for compliance-based blocking.
"Grace period applies to Conditional Access." False. Grace period is an Intune concept. CA has no grace period; it immediately blocks if the device is non-compliant at the time of authentication.
Specific Numbers and Terms
Default compliance check-in interval: 8 hours (Windows, Android), 6 hours (iOS).
Default grace period: 30 days.
Grant control name: "Require device to be marked as compliant."
The compliance status attribute in Azure AD: compliant (boolean).
The device must be Azure AD registered or hybrid Azure AD joined for CA to read compliance status.
Edge Cases
Unenrolled device: If a device is not enrolled in Intune, the compliance status is not set. CA will treat it as non-compliant if the policy requires compliance. The user must enroll.
Device deleted from Intune: The device object in Azure AD remains but compliance status may be stale. CA will use the last known status until the device object is deleted.
Cross-tenant scenarios: Compliance status is not shared across tenants. A device from tenant A cannot be used to access tenant B's resources.
How to Eliminate Wrong Answers
Focus on the mechanism: Intune evaluates compliance and writes to Azure AD. CA reads from Azure AD. If an answer says Intune does something in real-time, it's wrong. If an answer says CA enforces compliance, it's wrong. If an answer suggests that compliance policies alone block access, it's wrong because CA is the gatekeeper.
Intune compliance policies define device health rules; Conditional Access uses the compliance status as a signal.
Default compliance check-in interval is 8 hours (Windows/Android) and 6 hours (iOS).
Default grace period for non-compliance is 30 days; after expiry, device is marked non-compliant.
To block access for non-compliant devices, you must create a CA policy with 'Require device to be marked as compliant' grant control.
Compliance status is written to Azure AD device object attribute 'compliant' (boolean).
CA evaluates policies at each authentication; compliance status is not real-time.
App Protection Policies (MAM) can be used as an alternative for unmanaged devices.
These come up on the exam all the time. Here's how to tell them apart.
Intune Compliance Policies
Define the rules for device health (OS version, encryption, antivirus, etc.)
Evaluate device state at check-in intervals (every 8 hours)
Mark device as compliant or non-compliant in Intune database
Write compliance status to Azure AD device object
Grace period (default 30 days) before marking non-compliant
Conditional Access Policies
Define access rules based on signals (user, device, location, risk)
Evaluate policies at every authentication request
Grant or block access based on conditions
Read compliance status from Azure AD device object
No grace period; immediately applies decision based on current status
Mistake
Conditional Access can enforce device compliance policies directly.
Correct
Conditional Access only checks the compliance status stored in Azure AD. Intune is the service that evaluates and enforces compliance policies. CA uses the status as a signal, not as an enforcement mechanism.
Mistake
Device compliance is evaluated in real-time for every access attempt.
Correct
Compliance is evaluated during periodic check-ins (every 8 hours by default). The status is cached in Azure AD and may be up to 8 hours old. The CA policy sees the last known status, not the current state.
Mistake
A non-compliant device is immediately blocked from accessing resources.
Correct
Intune provides a grace period (default 30 days) during which the device remains compliant even if policies are violated. After the grace period expires, the device is marked non-compliant. CA then blocks access based on that status.
Mistake
Device compliance is the only signal used by Conditional Access for device-based controls.
Correct
CA also uses device risk (from Defender for Endpoint) and app protection status (from Intune MAM). Compliance is one of several device-related signals.
Mistake
Enrolling a device in Intune automatically enforces Conditional Access policies.
Correct
Enrollment alone does nothing to access control. You must create a CA policy that requires compliant device. Without that policy, access is not blocked even if the device is non-compliant.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
By default, Intune evaluates compliance every 8 hours for Windows and Android devices, and every 6 hours for iOS devices. This interval can be changed by configuring the check-in frequency in the enrollment profile. The device must check in with Intune to receive and evaluate compliance policies. If a device is offline, the last known compliance status is used.
Intune does not immediately mark the device as non-compliant. Instead, a grace period begins (default 30 days). During this period, the device remains compliant in Azure AD. If the device remediates the issue before the grace period expires, compliance is maintained. If not, the device is marked non-compliant, and Conditional Access policies that require compliance will block access.
Yes, Conditional Access can use other signals like MFA, location, and risk. However, to use device compliance as a signal, you need Intune to enforce compliance policies and report the status. Without Intune, you cannot require device compliance. You can still require domain-joined devices (hybrid Azure AD join) but that's different from Intune compliance.
Device compliance checks the overall device health (OS, encryption, etc.) and requires device enrollment. App protection policies (MAM) manage how data is handled within specific apps (e.g., preventing copy-paste) and do not require enrollment. CA can require either or both. For BYOD scenarios, app protection policies are often used instead of device compliance.
Conditional Access reads the 'compliant' attribute of the device object in Azure AD. This attribute is set by Intune after evaluating compliance policies. The attribute is a boolean: true if compliant, false if not. If the device is not enrolled, the attribute may be absent, and CA treats it as non-compliant.
Yes, users can manually sync their device from the Company Portal app. For Windows, they can go to Settings > Accounts > Access work or school > click on the account > Info > Sync. This triggers an immediate check-in with Intune, which re-evaluates compliance and updates the status. However, the status update to Azure AD may still take a few minutes.
Setting the grace period to 0 means that as soon as a device violates a compliance policy, it is immediately marked non-compliant. This is very restrictive and can cause user frustration if they are in the middle of an OS update. It is recommended for high-security environments where any delay is unacceptable.
You've just covered Intune and Conditional Access Integration — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?