Compliance and Conditional Access

Introduction

During this lab, you will learn how to control access to company resources using compliance
rules and conditional access.

Estimated Time

90 minutes

Objectives

At the end of this lab, you will be able configure your management environment to control
access to company resources.

Logon Information

Use the following credentials to sign into the Lab on Demand Virtual environment on
MMWS_Host.

• Username: Admin
• Password: Intune123!!
Table of Contents
Lab1: Configure Compliance Policies .......................................................................................................... 3
Exercise 1: Verify general compliance settings in the tenant ....................................................... 3
Exercise 2: Create Compliance notification templates .................................................................... 5
Exercise 3: Create and deploy a compliance policy for iOS ........................................................... 6
Exercise 5: Create and deploy a compliance policy for Android Enterprise .......................... 9
Exercise 5: Verify the result of the compliance policy on iOS ................................................... 13
Exercise 6: Verify the result of the compliance policy on Android Enterprise .................. 16
Lab2: Configure Conditional Access Policy ............................................................................................ 20
Exercise 1: Create and assign the conditional access policy ...................................................... 20
Exercise 2: Proof access to Exchange Online with a browser session ................................... 25
Exercise 3: Set the device in a compliant state and proof access ............................................. 28
Lab1: Configure Compliance Policies
During this lab, you will learn how to configure the prerequisites and settings for
conditional access.

Exercise 1: Verify general compliance settings in the

tenant
This exercise shows how to verify the general compliance settings of your tenant.

Tasks
1. Define how a device without compliance policy is handled.
Navigate to https://devicemanagement.microsoft.com
Select Device→ Compliance policies.

2. Select Compliance Policy Settings configure the setting Mark devices with
no compliance policy assigned as to Not compliant.
 3. Save the settings.

4. Create Azure Active Directory group.

Navigate to the Device Management Portal, select Groups, choose +New
group.
Create a Security group named IN-ConditionalAccess, membership type
Assigned with the purpose of deploying the compliance and conditional
access policy. Assign IN-User1 to this group.

5. Click Select and then Create.

Exercise 1 has been completed.
Exercise 2: Create Compliance notification templates
This exercise shows how to create compliance notification in your tenant.

Tasks
1. Define a user notification template.
Navigate to Devices→ Compliance policies→ Compliance policy
settings→ Notifications and select + Create notification to create a new
notification.

Create a message template.

Select Next and create.

Exercise 2 has been completed.
Exercise 3: Create and deploy a compliance policy for iOS
This exercise shows how to create and deploy a compliance policy.

Tasks
1. Create and assign the device compliance policy.
Navigate to Devices → Compliance policies and select +Create policy to
create a policy object.

Configure the policy with the following name and setting:

Name: iOS Compliance Policy
Platform: iOS/IpadOS.
Select Settings Configure and then select Device Health.
Click on Device Health and enable Block Jailbroken devices.

Click OK.
Then select Device Properties, enter 16 as Minimum OS version and click
OK twice.

Note: The idea is to set the device to a non-compliant state. Adjust the
version number according to the actual release numbers.

As Action for Noncompliance, select +Add to add a new messaging

template.
 In the Notification message template, under Action select Send email to
end user from the drop-down list and then select message template to
add the standard template you created earlier and click Select.

Select Add and OK and then Create.

Assign the compliance policy to the group IN-ConditionalAccess and save
the assignment.

Exercise 3 has been completed

Exercise 5: Create and deploy a compliance policy for
Android Enterprise
This exercise shows how to create and deploy a compliance policy.

Tasks
1. Create and assign the device compliance policy.
Navigate to Devices → Compliance policies and select + Create policy to
create a policy object.

Configure the policy with the following name and settings:

Name: Android Enterprise Compliance Policy
Platform: Android Enterprise
Profile type: Work Profile
Select Settings Configure and then select Device Health.
Click on Device Health and enable Block Rooted devices.

Click OK.
Then select Device Properties, enter 16 for Minimum OS version.

Note: The idea is to set the device to a non-compliant state. Adjust the
version number according to the actual release numbers.

As Action for Noncompliance, select + Add to add a new messaging

template.
In the Notification message template, under Action select Send email to
end user from the drop-down list and then select message template to
add the standard template you created earlier and click Select.

Click Select.
Click Add and then OK and then Create.
Assign the compliance policy to the group IN-ConditionalAccess and Save
the assignment.
Exercise 4 has been completed.
Exercise 5: Verify the result of the compliance policy on
iOS
This exercise shows how to verify the result of the compliance policy locally and with the
Azure portal.

Tasks
1. Open the Company Portal on your iOS device
Select Device and you should notice that your device has changed into a
non-compliant state.

Tab on notifications.
Then tab on the Update settings information to get more detailed
information about the non-compliance.
 You can drill in further if you open the Update your operating system

2. Verify compliance state in the Intune portal

The device reports its state back to Intune. Verify the state in the
DeviceManagement portal at Devices → Monitor → Noncompliant
devices.
Exercise 5 has been completed.

Exercise 6: Verify the result of the compliance policy on

Android Enterprise
This exercise shows how to verify the result of the compliance policy locally and with the
Azure portal.

Tasks
1. Open the Company Portal on your Android Enterprise device
Select Device and you should notice that your device has changed into a
non-compliant state. (red exclamation mark!)

Note: You also see other devices for your user showing as non-compliant.

Tab on the Android Enterprise device.

Then tab on the Update settings information to get more detailed

information about the non-compliance.
You will find more details on the device.
You can drill in further if you open the Update your operating system.
 It will show that you need to update your Operating System.

2. Verify compliance state in the Intune portal.

 3. The device reports its state back to Intune. Verify the state in the
DeviceManagement portal at Devices → Monitor → Device compliance.

Go to Device compliance and then Settings compliance. It will show you a

drilldown of all stings.

Exercise 4 has been completed

Lab2: Configure Conditional Access Policy
During this lab, you will learn how to configure the prerequisites and settings for
conditional access. The goal is to let the user only access company resources when their
device is compliant.

Exercise 1: Create and assign the conditional access

policy
This exercise shows how to create and assign the conditional access policy based on the
device compliance state. In this scenario, we will block access to Email when the device is
not compliant.

Note: Device Not compliance implies that either device is NOT enrolled into
Intune or failed one of the Compliance policy or both)

Tasks
1. Create a basic conditional access policy for Exchange Online access.
Navigate to Devices and select Conditional access.
Select Policies and click + New policy to create new conditional access
policy.

Name the policy CA Policy1 and at the Users and Group Tab include the
group IN-ConditionalAccess.

Click Done.
Select Cloud apps or actions and select the app Office 365 Exchange
Online.

Click Done.
Select Conditions - Device platforms. Configure Yes and Enable any device
as platform.

Note: You may also only select specific platforms.

Click Done.
Select Conditions – Client apps (preview).
Configure: Yes and accept the default settings.

Click Done twice.

Under Access controls select Grant. Configure Require device to be
marked as compliant.
 Click Select.
Finally, enable the policy, choose Create.

Exercise 5 has been completed.

Exercise 2: Proof access to Exchange Online with a
browser session
This exercise shows how to verify the effect of the conditional access policy.

Tasks
1. Try to access the Office portal.
Log on to any device.
Open a browser and open http://portal.office.com.
Sign in with in-user1.
Click on Outlook. You should see a screen like this.

You can try the same with the Outlook app.

Exercise 6 has been completed.
Exercise 3: Set the device in a compliant state and proof
access
This exercise shows how to set the device back in a compliant state.

Tasks
1. Open the DeviceManagement Portal.
Navigate to Devices→Compliance policies→ Polices and select the
Android Enterprise Compliance Policy. Click Properties – Settings –
Device Properties and revert the configuration to a lower OS Version
number. Type your actual version or a lower number.

Click OK twice and Save.

2. Select the iOS Compliance Policy. Click Properties – Settings – Device
Properties and revert the configuration to a lower OS Version number. Type
your actual version or a lower number.

Click OK twice and Save.

4. Update the compliance settings on the iOS and Android Device and verify
access to Exchange Online with the browser session and Outlook

On Android

Make sure it shows:

For iOS.
Tab on Check Settings.
Until you see:

Then open a browser to http://portal.office.com and open Outlook. Access

is possible again.
Also, open Outlook App and check access to your emails.
 Or Web Browser on Android Enterprise

You might get to see the notification email message.

Exercise 7 has been completed.