Microsoft Entra ID Conditional Access and Microsoft Intune work together to enforce Zero Trust security across your organization. Conditional Access evaluates every sign-in request against your policies, and Intune provides the device compliance signal that determines whether access is granted or blocked. This guide explains how to configure Conditional Access with Intune compliance, covering device-based policies, app protection policies, and Copilot governance.
🔐 Need help configuring Conditional Access and Intune compliance in your organization?
Our team designs and deploys Zero Trust security architectures combining Intune, Entra ID Conditional Access, and compliance policies. 📅 Book a Free Call | 💬 WhatsApp
Conditional Access requires Entra ID P1 (included with Microsoft 365 Business Premium, E3, and E5). For the full Conditional Access reference, see the official Microsoft Entra Conditional Access documentation. See also our Entra ID complete guide and our guide on Microsoft Intune.
How Intune and Conditional Access Work Together
Specifically, the integration works through a two-step process. First, Intune evaluates each enrolled device against your compliance policies and stamps it as Compliant or Not compliant in Entra ID. Subsequently, your Conditional Access policy checks that compliance stamp when a user signs into a cloud app like Exchange Online, SharePoint, or Microsoft 365 Copilot. As a result, non-compliant devices either receive a block message or get directed to a remediation page.
Furthermore, without Intune enrollment, Conditional Access cannot evaluate device compliance — it can only check whether the device is Entra ID joined or registered. Intune enrollment provides granular compliance data: encryption status, OS version, antivirus state, and jailbreak detection.
Create a Device Compliance Conditional Access Policy
- In the Entra admin center, go to Protection → Conditional Access → Create new policy
- Name the policy (e.g., Require Compliant Device – All Cloud Apps)
- For Users, select the target group (or all users)
- In Target resources, select All cloud apps or specific apps
- Finally, under Grant, select Require device to be marked as compliant
- Set the policy to Report-only first to evaluate impact before enforcing
Scope Conditional Access to Specific Apps
Instead of applying compliance requirements to all cloud apps at once, start with the highest-risk applications. This staged approach reduces disruption while building security coverage progressively:
- Start (Phase 1): Require compliant device for Exchange Online and SharePoint — the most commonly targeted apps in phishing attacks
- Next (Phase 2): Extend to Microsoft Teams and Microsoft 365 admin center
- Finally (Phase 3): Apply to All cloud apps, with exclusions for break-glass accounts and service accounts
Conditional Access for Microsoft 365 Copilot
Notably, with Copilot accessing sensitive organizational data across Microsoft 365, enforcing Conditional Access on Copilot is critical. Apply a compliance requirement specifically to Microsoft 365 Copilot in the Target resources section. Additionally, use Entra ID P2’s Conditional Access authentication context to enforce step-up authentication — MFA re-prompt — when users access high-sensitivity Copilot workloads or SharePoint sites labeled as Confidential.
Use Dynamic Groups to Scope Conditional Access
Moreover, the most scalable approach to Conditional Access governance combines Entra ID dynamic groups with Conditional Access policy assignments. Create a dynamic user group for your Copilot-licensed users based on their license assignment attribute, then scope your Copilot Conditional Access policy to that group exclusively. As licenses are assigned or removed, Entra ID automatically updates group membership — and the Conditional Access policy adjusts accordingly without any manual changes. For dynamic group configuration details, see our guide on Entra ID dynamic groups for Intune.
For compliance policy prerequisites, see our guide on Intune compliance policies. For Copilot deployment steps, see our guide on deploying Microsoft 365 Copilot with Intune.
Monitor and Audit Conditional Access with Sign-In Logs
After activating Conditional Access policies, monitor their impact in the Entra admin center under Monitoring → Sign-in logs. Filter by Conditional Access status to see which sign-ins policies blocked, allowed, or evaluated in report-only mode. The Conditional Access insights and reporting workbook in Azure Monitor provides aggregated trends, helping you identify users frequently blocked, apps generating the most policy evaluations, and locations triggering risk signals. Transition policies from report-only to enforcement only after reviewing at least one week of sign-in data. For Intune compliance prerequisites, see our guide on Intune compliance policies.
