Hey everyone, I'm having some trouble figuring out how Intune and Conditional Access work together. I set up a policy for iOS devices that blocks access to Office 365 if a device is marked as non-compliant, which works during the initial setup. However, I've noticed that if a device that was previously compliant falls out of compliance, it still retains access to 365 apps like email. It seems like I have to manually revoke sessions for those devices to cut off their access. Is this how it's supposed to work?
3 Answers
In our setup, when devices go non-compliant, they do get kicked out of access pretty quickly. I can't say how fast it works exactly, but we’re focused on making sure only employees have access to company emails. We do have the ability to wipe or revoke access for terminations.
It sounds like you might need to configure additional policies to effectively block non-compliant devices. There isn't a straight 'deny all' option at the end of Conditional Access policies that will do this automatically in all cases.
You might want to think about whether it’s really necessary to block access just because of non-compliance. Devices can fall out of compliance for many reasons, which could lead to a lot of headaches for device management.
I’m actually testing this in a lab to see what happens, which is why I’m trying to get to the bottom of it.
Yeah, I’ve noticed that too. It appears that without requiring re-authentication for ActiveSync on iOS, the devices keep their access even when they become non-compliant.