Azure Conditional Access provides a means of securing access to Azure services, apps or data based on pre-qualified ‘conditions’ that are prescribed through policies. These Conditional Access Policies are configured by Central Tenant Administrators and applied to all users.
The baseline NHSmail Conditional Access policies apply to Cloud apps and resources, requiring that service access is being performed on a secure & managed device (via Device Compliance).
2. Applying Conditional Access
Conditional Access is Managed centrally by the Intune Live Service team, however it can be applied by adding users to the following group to enforce conditions such as device compliance:
(This group is nested within a centrally-managed parent group that applies the conditional access policy itself)
2.1. Device Compliance & Conditional Access
Device Compliance policies will mark a device as ‘non-compliant’ according to the (time) setting configured in the 3 postures (Baseline, Enhanced, Restrictive). When the user of a device scoped for device compliance signs in – and the device is NOT compliant – user sign in will be blocked and the user will be required to remediate the ‘non-compliance’ items (i.e. ‘device password does not meet requirements’).
It is recommended that Organisations initially test the combined assignment of device compliance policies and conditional access prior to mass-population release.
The NHSmail Device Compliance policies include periods of ‘grace’ before marking the device ‘non-compliant’.
The following policy is currently provided to support scenarios where organisations are seeking to enforce device compliance, applied across users and their devices in the organisation:
The diagram emphasises that the conditional access policy applies only to devices that are managed via Intune. On-premises (AD) Devices and Personal Devices may not be enrolled and will be ignored by a policy filter.
The Policy items applied are:
|Assignments||Users and Groups||Include: EMS-MDM-Conditional-Access-Scope|
|Cloud app or actions||Cloud apps||Include: All cloud apps
Exclude: Intune Enrolment
|Conditions||Client apps||3 included:
Devices not managed by Intune (e.g. BYO)
|Grant||Grant Access||Require device to be marked as compliant|
Conditional Access policies (including the above) are assigned to user groups only and not devices, ensuring that access is secured across all devices the user signs in with.
|Last Reviewed Date||11/08/2022|