A company uses Microsoft Entra ID and Intune for mobile device management. They want to enforce different access requirements for their finance application: when users access from an unmanaged personal device, they must perform multi-factor authentication (MFA). When they access from a corporate-managed device that is marked as compliant (e.g., joined to Azure AD, antivirus up-to-date, encryption enabled), MFA should not be required. Device compliance is reported by Intune. Which Microsoft Entra ID feature should they use to define these rules?
Conditional Access evaluates conditions such as device compliance (reported by Intune) and can grant access with or without MFA based on the conditions. This is the correct tool.
Why this answer
Conditional Access policies in Microsoft Entra ID allow administrators to define granular access rules based on signals such as user, device, location, and application. In this scenario, the policy can be configured to require MFA when the device is not marked as compliant (e.g., unmanaged personal device) and to allow access without MFA when the device is reported as compliant by Intune. This is the correct feature because it directly evaluates device compliance status from Intune and enforces the specified access requirements.
Exam trap
The trap here is that candidates often confuse Intune device compliance policies (which define the rules for compliance) with Conditional Access policies (which enforce access decisions based on that compliance status), leading them to select Option D instead of the correct feature that actually enforces the MFA requirement.
How to eliminate wrong answers
Option A is wrong because Identity Protection risk policies focus on user and sign-in risk (e.g., leaked credentials, anonymous IP addresses) and do not evaluate device compliance status from Intune. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and access reviews, not device-based access rules for applications. Option D is wrong because Intune device compliance policies define the compliance criteria (e.g., encryption, antivirus) but do not enforce access decisions; they only report compliance status to Entra ID for Conditional Access to evaluate.