Utilizing Conditional Access Policies
Start course

This course explores the suite of tools available in Microsoft Endpoint Manager for establishing and maintaining security posture in an organization. These include tools like Microsoft Intune, used for enrolling devices as well as creating and enforcing device compliance, and Microsoft Defender, used for implementing device antivirus and malware defense tools. This course will also review the activities involved in reducing attack surfaces in an organization that bad actors could use to penetrate and expose sensitive data. This sensitive data is protected through the implementation of attack surface reduction rules which are deployed through careful auditing and testing to prevent any loss of productivity. This course will also touch on the security baselines made available to organizations wishing to enact a more granular security posture and have access to tools like secure score for evaluating the effectiveness of these efforts against known best practices.  

Learning Objectives

  • Create a compliance policy 
  • Monitor enrolled devices
  • Setup surface attack reduction rules
  • Deploy surface attack reduction rules
  • Review security baselines
  • Examine Microsoft secure score

Intended Audience

This course is designed for individuals who are responsible for setting up and monitoring device compliance and security in Microsoft 365 as well as those pursuing Microsoft certifications.


To get the most from this course, you should have some familiarity and experience with the Microsoft 365 security suite of tools including Microsoft Endpoint Manager.  


Let's review how conditional access policies work with device compliance. Conditional access policies enable us to implement automated access control decisions. Based on the conditions in these policies, the decisions they generate determine who can access our organization's cloud apps. We must configure the related compliance policies to drive conditional access compliance, which is typically used to do things like allow or block access to Exchange, control access to the network, and integrate with the mobile threat defense solution.

Currently, there are two types of Conditional Access with Intune: device based conditional access and app based conditional access. Conditional access policies follow a workflow similar to "When this happens, then do this." Let's examine these two parts. "When this happens" defines the reason for triggering the conditional access policy. It's broken out into two parts, one part concerning the user (or who is doing the access attempt) and another part concerning the app (or what is being acted upon). Once this condition is met, the second part of the flow kicks in: "Then do this." This defines the response of the policy. A good example of a response would be to require multifactor authentication when a user attempts to access email or organization resources. Alternatively, if conditions are not met, policy can restrict access to the resources entirely.

Conditional policies are created to include assignments, which define the users and groups for which the policy applies. Cloud apps for which the access is controlled by the policy, and conditions which define when the policy will apply such as sign in risk, device platforms, locations, client apps, and device state. The other part of conditional access policies are access controls. These typically have two types:  Grant and Session. Grant is a control that either blocks access or specifies other requirements that must be satisfied to allow access such as multifactor authentication. Session controls can turn on a limited experience within a cloud app.

Let's step through an example scenario of how these conditional access policies would play out. First a user tries to authenticate with Azure Active Directory from within the Outlook app. Since it's the first time the user has tried to access, this user is redirected to the app store and asked to download a broker app. Once installed, the broker app starts the Azure Active Directory registration process and verifies the identity of the app. Then the broker app sends the App Client ID  to Azure Active Directory as part of the authentication process. Azure Active Directory allows the user to authenticate and use the app, and then allows outlook to retrieve relevant email communications for the user.


About the Author

Steve is an experienced Solutions Architect with over 10 years of experience serving customers in the data and data engineering space. He has a proven track record of delivering solutions across a broad range of business areas that increase overall satisfaction and retention. He has worked across many industries, both public and private, and found many ways to drive the use of data and business intelligence tools to achieve business objectives. He is a persuasive communicator, presenter, and quite effective at building productive working relationships across all levels in the organization based on collegiality, transparency, and trust.