Compliance Policies & Conditional Access
Compliance policies define the rules devices must follow. Conditional access enforces those rules by blocking non-compliant devices from company resources. Together, they're the backbone of Zero Trust device management.
What is a compliance policy?
Think of compliance policies like a building health and safety inspection.
The inspector has a checklist: fire exits clear? Smoke alarms working? Electrical wiring up to code? If you pass, you get your certificate. If you fail, you get a notice to fix the issues β and the building might be shut down until you do.
Compliance policies are the checklist for devices. Is the OS up to date? Is encryption turned on? Is there a passcode? If the device passes, itβs βcompliant.β If it fails, it gets marked βnon-compliantβ β and conditional access can block it from accessing email, SharePoint, Teams, and everything else.
Compliance settings by platform
Chen Wei at Meridian Bank creates compliance policies for every platform in use. Each platform has different available settings:
| Feature | Windows | iOS/iPadOS | Android | macOS |
|---|---|---|---|---|
| Minimum OS version | Yes | Yes | Yes | Yes |
| Password required | Yes | Yes | Yes | Yes |
| Password complexity | Simple/alphanumeric/complex | Simple/alphanumeric | Numeric/low/medium/high | Simple/alphanumeric |
| Encryption required | BitLocker | Built-in (always on) | Device encryption | FileVault |
| Firewall required | Yes | No | No | Yes |
| Antivirus required | Yes (Defender) | No | No | No |
| Jailbreak/root detection | No (not applicable) | Yes | Yes | No |
| TPM required | Yes | No | No | No |
| Secure Boot required | Yes | No | No | No |
| Defender threat level | Yes | Yes | Yes | Yes |
Actions for non-compliance
When a device fails a compliance check, you donβt have to immediately block it. Intune supports a graduated response:
| Action | Timing | What Happens |
|---|---|---|
| Mark device non-compliant | Immediately (or after grace period) | Device status changes to non-compliant |
| Send email notification | After X days | User receives an email explaining whatβs wrong and how to fix it |
| Send push notification | After X days | Notification via Company Portal app |
| Retire device | After X days | Company data removed from device (nuclear option) |
Example: Chen Wei configures: immediately mark non-compliant β Day 1: email user β Day 3: push notification β Day 14: retire device. This gives users time to fix issues before losing access.
Exam tip: compliance policy without conditional access does nothing
A compliance policy on its own only labels a device as compliant or non-compliant. It doesnβt block access to anything.
To enforce compliance, you need a Conditional Access policy in Entra ID that says: βRequire device to be marked as compliant.β
The exam may present a scenario where a compliance policy is configured but devices still access resources despite being non-compliant. The fix: add a conditional access policy that requires compliance.
Compliance policy = the rules. Conditional access = the enforcement.
Conditional access for compliance
How it works together
- Device enrolls in Intune
- Compliance policy evaluates the device β compliant or non-compliant
- User tries to access a cloud resource (e.g., Exchange Online)
- Conditional access checks: βIs this device compliant?β
- Yes β access granted
- No β access blocked (user sees a remediation message)
Creating a CA policy that requires compliance
In the Entra admin center β Protection β Conditional Access:
| Setting | Configuration |
|---|---|
| Name | Require compliant device for M365 access |
| Users | All users (exclude break-glass accounts!) |
| Cloud apps | Office 365 (covers Exchange, SharePoint, Teams, OneDrive) |
| Conditions | Device platforms: Windows, iOS, Android, macOS |
| Grant | Require device to be marked as compliant |
| Session | Default |
Deep dive: compliance + CA for BYOD
For personal devices (Entra Registered/BYOD), the compliance check works differently:
- If the device is enrolled in Intune β compliance policy evaluates normally
- If the device is not enrolled β Intune canβt evaluate compliance, so the device is treated as non-compliant by default
- This means: CA requiring compliance effectively forces enrollment for BYOD users who need access to M365 resources
Alternatively, you can use a CA policy that requires app protection policy instead of device compliance. This allows BYOD access through protected apps (Outlook, Teams, OneDrive) without requiring full device enrollment. This is Rikoβs approach at Pixel and Co β creative designers with personal Macs donβt want full MDM on their devices.
Compliance policy settings in practice
Chen Weiβs Meridian Bank compliance policy (Windows)
| Setting | Value | Why |
|---|---|---|
| Minimum OS version | Windows 11 23H2 | Banking regulator requires recent OS |
| BitLocker required | Yes | Encrypt all corporate data at rest |
| Firewall required | Yes | Network protection |
| Antivirus required | Yes | Defender must be active |
| TPM required | Yes | Hardware root of trust |
| Password minimum length | 12 characters | Banking security standard |
| Defender threat level | Medium or below | Block high-risk devices |
| Grace period | 3 days | Give users time to update |
Arohaβs CloudForge compliance policy (Windows)
| Setting | Value | Why |
|---|---|---|
| Minimum OS version | Windows 11 22H2 | Reasonable baseline for startup |
| BitLocker required | Yes | Protect customer data |
| Password required | Yes (6+ characters) | Basic security |
| Grace period | 7 days | Startup can be more flexible |
Key exam concept: Compliance policies should match the organisationβs risk profile. A bank has stricter settings than a startup, but both need compliance + conditional access to enforce Zero Trust.
π¬ Video walkthrough
Flashcards
Knowledge Check
Chen Wei creates a compliance policy requiring BitLocker encryption on all Windows devices. Two weeks later, he discovers that some devices without BitLocker are still accessing Exchange Online. What's the most likely cause?
Riko at Pixel & Co needs designers with personal Macs to access Outlook and Teams without enrolling their devices in Intune. Which conditional access approach should Riko use?
Chen Wei's compliance policy for iOS devices at Meridian Bank marks a device non-compliant on Day 0, emails the user on Day 1, sends a push notification on Day 3, and retires the device on Day 14. A user's iPhone is running an old iOS version. What happens on Day 5 if the user hasn't updated?
Next up: Windows LAPS & Local Group Management β securing local admin accounts and managing local group membership via Intune.