Security & Compliance
September 22, 2018

Azure/ Intune Conditional Access Policies

Using Microsoft Azure this project was around creating the process in maintaining data leakage prevention (DLP) using the latest technologies, limiting non-work devices.


Working for a financial institution the rules around accessing "company data" outside of the company walls or VPN was unheard of. Attending a few larger Microsoft conferences in the year of 2016 I was amazed by the "new" technologies in Azure that would allow a user to access company data from anywhere with certain controls set by IT and Security in place.

This is one of the slides that really helped me see that power of this technology...


The requirements around this project were the follow....

  • All company issued devices (Surface books) should have full access from anywhere
  • All non-company devices such as home PC's should have limited access. Should be able to read and edit documents in the browser; not sync, download or print.
  • All mobile devices should have the ability to view company data in a "controlled manner".


The first thing we had to tackle in the beginning was decided if we wanted to go with an MDM or MAM setup. Both options presented pros and cons, but in the end we decided to go with MAM mainly because most of our users have personal devices.

Application management would allow the organization to control "company data" on a personal device without touching any personal data.

How it works

The next big hurdle was HOW? How would we control company data from a desktop and also mobile device, The answer was utilizing Azure AD Conditional Access along with Microsoft Intune to control additional policies for mobile. Azure AD allowed us the ability to create a policy for example that required a device to be "domain-joined" in order to access the Microsoft Outlook client. Using AD Connect we were able to sync devices to our Azure AD environment which then would be labeled as "Hybrid Azure Joined" meaning the computer would recognize that device as "domain- joined".

Message received when trying to access company email from the Outlook client at Home.
(Client Office apps cache files locally which is against DLP policies)

Intune Setup

The Intune application allowed us the ability to block personal mobile apps from touching managed mobile apps. For example we set the following rule on all mobile devices...

These settings allow Microsoft apps to talk with Microsoft apps and only allows users the ability to save files to 2 locations.

  • SharePoint Online (company environment only)
  • OneDrive for Business (company environment only)

An example of what this policy wouldn't allow you to do is copy text from an email in outlook (a Microsoft app) and paste it into the iPhone notes app (a non Microsoft app). Data pasted outside of a non managed app with display "Your organization's data cannot be pasted here." Likewise you could only save to a company data to a SharePoint site or OneDrive location and not on the personal device.

Intune compliance policy in action

Desktop Configuration

From Azure AD we create a series of policies including the following and there purpose:

  • SharePoint/OD4B Browser Only - Unmanaged Devices = Only from a domain-joined PC would you be able to download, sync, and print docs. (see image below)
  • iOS/Andriod - Block Browser Access = Only can access office 365 application with apps from a mobile device per MAM
  • iOS/Andriod - Enforce Microsoft Apps = Able to use the "approved client apps" that Microsoft has set from a mobile device
  • Block Unmanaged Device Apps = This one will block you from accessing any of the Client apps with your corpone account on a home PC
List of all the Conditional Access Policies in AAD

Policy on a domain joined PC
Policy on a non-domain joined PC