1. Overview

Azure Conditional Access provides a means of securing access to Azure services, apps or data based on pre-qualified ‘conditions’ that are prescribed through policies. These Conditional Access Policies are configured by Central Tenant Administrators and applied to all users.

Currently, there are two Conditional Access offerings, one for devices managed within the NHSmail Intune solution and one for unmanaged devices (Bring Your Own devices).

For more information about Conditional Access for devices managed within the NHSmail Intune solution, please continue to read through the information on this page.

For more information about Conditional Access for unmanaged devices (Bring Your Own devices – personal and corporate devices not managed by the NHSmail Intune solution but that access NHSmail O365 services), please see the Bring Your Own Device Security Controls guidance here.

The baseline Intune NHSmail Conditional Access policies apply to Cloud apps and resources, requiring that service access is being performed on a secure & managed device (via Device Compliance).

2. Applying Conditional Access

Conditional Access for Intune is Managed centrally by the Intune Live Service team, however it can be applied by adding users to the following group to enforce conditions such as device compliance:

<ODS>-Intune-Users-Conditional-Access

(This group is nested within a centrally-managed parent group that applies the conditional access policy itself)

2.1. Device Compliance & Conditional Access

Device Compliance policies will mark a device as ‘non-compliant’ according to the (time) setting configured in the 3 postures (Baseline, Enhanced, Restrictive).  When the user of a device scoped for device compliance signs in – and the device is NOT compliant – user sign in will be blocked and the user will be required to remediate the ‘non-compliance’ items (i.e. ‘device password does not meet requirements’).

It is recommended that Organisations initially test the combined assignment of device compliance policies and conditional access prior to mass-population release.

The NHSmail Device Compliance policies include periods of ‘grace’ before marking the device ‘non-compliant’.

The following policy is currently provided to support scenarios where organisations are seeking to enforce device compliance, applied across users and their devices in the organisation:

The diagram emphasises that the conditional access policy applies only to devices that are managed via Intune.  On-premises (AD) Devices and Personal Devices may not be enrolled and will be ignored by a policy filter.

The Policy items applied are:

CA Policy	Sub-category	Settings
Assignments	Users and Groups	Include: EMS-MDM-Conditional-Access-Scope
Cloud app or actions	Cloud apps	Include: All cloud apps Exclude: Intune Enrolment
Conditions	Client apps	3 included: ·       Modern authentication clients ·       Mobile apps and desktop clients ·       Legacy authentication clients ·       Exchange ActiveSync clients ·       Other clients
Device Platforms	Include Exclude	Any Device Devices not managed by Intune (e.g. BYO)
Grant	Grant Access	Require device to be marked as compliant

Conditional Access policies (including the above) are assigned to user groups only and not devices, ensuring that access is secured across all devices the user signs in with.