Conditional Access

1. Overview

Azure Conditional Access provides a means of securing access to Azure services, apps or data based on pre-qualified ‘conditions’ that are prescribed through policies. These Conditional Access Policies are configured by Central Tenant Administrators and applied to all users.

Currently, there are two Conditional Access offerings, one for devices managed within the NHSmail Intune solution and one for unmanaged devices (Bring Your Own devices).

For more information about Conditional Access for devices managed within the NHSmail Intune solution, please continue to read through the information on this page.

For more information about Conditional Access for unmanaged devices (Bring Your Own devices – personal and corporate devices not managed by the NHSmail Intune solution but that access NHSmail O365 services), please see the Bring Your Own Device Security Controls guidance here.

The baseline Intune NHSmail Conditional Access policies apply to Cloud apps and resources, requiring that service access is being performed on a secure & managed device (via Device Compliance).


Conditional Access policies are managed centrally, so there are no CA policy items to configure for LAs. All Conditional Access policies are created and managed by Central Intune Admins.

2. Applying Conditional Access

Conditional Access for Intune is Managed centrally by the Intune Live Service team, however it can be applied by adding users to the following group to enforce conditions such as device compliance:


(This group is nested within a centrally-managed parent group that applies the conditional access policy itself)

Note: Conditional Access will ultimately block users whose devices do not meet the requirements for a device compliance policy. Before adding users en-masse to Conditional Access (for device compliance), consider introducing and testing user experience with test or pilot users.

2.1. Device Compliance & Conditional Access

Device Compliance policies will mark a device as ‘non-compliant’ according to the (time) setting configured in the 3 postures (Baseline, Enhanced, Restrictive).  When the user of a device scoped for device compliance signs in – and the device is NOT compliant – user sign in will be blocked and the user will be required to remediate the ‘non-compliance’ items (i.e. ‘device password does not meet requirements’).

It is recommended that Organisations initially test the combined assignment of device compliance policies and conditional access prior to mass-population release.


Conditional Access policies relate to users (assignment). Device Compliance will be assessed for Intune-managed devices, however users’ ‘un-managed’ devices or personal devices will not be affected.

The NHSmail Device Compliance policies include periods of ‘grace’ before marking the device ‘non-compliant’.

The following policy is currently provided to support scenarios where organisations are seeking to enforce device compliance, applied across users and their devices in the organisation:

The diagram emphasises that the conditional access policy applies only to devices that are managed via Intune.  On-premises (AD) Devices and Personal Devices may not be enrolled and will be ignored by a policy filter.

The Policy items applied are:

CA Policy Sub-category Settings
Assignments Users and Groups Include: EMS-MDM-Conditional-Access-Scope
Cloud app or actions Cloud apps Include: All cloud apps

Exclude: Intune Enrolment

Conditions Client apps 3 included:

·       Modern authentication clients

·       Mobile apps and desktop clients

·       Legacy authentication clients

·       Exchange ActiveSync clients

·       Other clients

Device Platforms Include


Any Device

Devices not managed by Intune (e.g. BYO)

Grant Grant Access Require device to be marked as compliant

Conditional Access policies (including the above) are assigned to user groups only and not devices, ensuring that access is secured across all devices the user signs in with.


LAs who encounter an issue with a Conditional Access policy and/or would like to request an amendment to a policy, should raise a service request via Helpdesk Self-Service (option: Conditional Access).

Last Reviewed Date 29/02/2024


Updated on 29/02/2024

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top