Conditional Access

1. Overview

Azure Conditional Access provides a means of securing access to Azure services, apps or data based on pre-qualified ‘conditions’ that are prescribed through policies. These Conditional Access Policies are configured by Central Tenant Administrators and applied to all users.

The baseline NHSmail Conditional Access policies apply to Cloud apps and resources, requiring that service access is being performed on a secure & managed device (via Device Compliance).

Please note:

Conditional Access policies are managed centrally, so there are no CA policy items to configure for LAs. All Conditional Access policies are created and managed by Central Intune Admins.

2. Applying Conditional Access

Conditional Access is Managed centrally by the Intune Live Service team, however it can be applied by adding users to the following group to enforce conditions such as device compliance:

<ODS>-Intune-Users-Conditional-Access

(This group is nested within a centrally-managed parent group that applies the conditional access policy itself)

Please note:

Conditional Access will ultimately block users whose devices do not meet the requirements for a device compliance policy. Before adding users en-masse to Conditional Access (for device compliance), consider introducing and testing user experience with test or pilot users.

2.1. Device Compliance & Conditional Access

Device Compliance policies will mark a device as ‘non-compliant’ according to the (time) setting configured in the 3 postures (Baseline, Enhanced, Restrictive).  When the user of a device scoped for device compliance signs in – and the device is NOT compliant – user sign in will be blocked and the user will be required to remediate the ‘non-compliance’ items (i.e. ‘device password does not meet requirements’).

It is recommended that Organisations initially test the combined assignment of device compliance policies and conditional access prior to mass-population release.

Please note:

Conditional Access policies relate to users (assignment). Device Compliance will be assessed for Intune-managed devices, however users’ ‘un-managed’ devices or personal devices will not be affected.

The NHSmail Device Compliance policies include periods of ‘grace’ before marking the device ‘non-compliant’.

The following policy is currently provided to support scenarios where organisations are seeking to enforce device compliance, applied across users and their devices in the organisation:

The diagram emphasises that the conditional access policy applies only to devices that are managed via Intune.  On-premises (AD) Devices and Personal Devices may not be enrolled and will be ignored by a policy filter.

 

The Policy items applied are:

CA Policy Sub-category Settings
Assignments Users and Groups Include: EMS-MDM-Conditional-Access-Scope
Cloud app or actions Cloud apps Include: All cloud apps

Exclude: Intune Enrolment

Conditions Client apps 3 included:

  • Modern authentication clients
    • Mobile apps and desktop clients
  • Legacy authentication clients
    • Exchange ActiveSync clients
    • Other clients
Device Platforms Include

Exclude

Any Device

Devices not managed by Intune (e.g. BYO)

Grant Grant Access Require device to be marked as compliant

Conditional Access policies (including the above) are assigned to user groups only and not devices, ensuring that access is secured across all devices the user signs in with.

Please note:

LAs who encounter an issue with a Conditional Access policy and/or would like to request an amendment to a policy, should raise a service request via Helpdesk Self-Service (option: Conditional Access).

Last Reviewed Date 11/08/2022
Updated on 12/08/2022

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top