Your organization uses Microsoft Intune to manage devices. You need to ensure that devices that are not compliant are blocked from accessing corporate resources. Which configuration should you use?
Conditional Access enforces access based on compliance.
Why this answer
Conditional Access policies in Azure AD are the correct mechanism to enforce access controls based on device compliance status. By creating a policy that requires devices to be marked as compliant, you ensure that only compliant devices can access corporate resources, while non-compliant devices are blocked at the authentication level. This integrates with Intune compliance policies to evaluate device health before granting access.
Exam trap
The trap here is that candidates often confuse the role of a compliance policy (which only evaluates and reports) with the enforcement mechanism (Conditional Access), leading them to select Option A as the answer.
How to eliminate wrong answers
Option A is wrong because a device compliance policy alone only reports compliance status and can trigger actions like sending notifications or marking devices as non-compliant, but it does not block access to corporate resources; it requires a Conditional Access policy to enforce the block. Option B is wrong because a device configuration profile is used to configure device settings (e.g., password policies, restrictions) and does not enforce access control or block non-compliant devices from resources. Option D is wrong because enrollment restrictions control which devices can enroll in Intune, not whether already enrolled devices that become non-compliant are blocked from accessing corporate resources.