Configure Conditional Access for Exchange Online

Introduction to Intune Conditional Access

Microsoft Intune is a cloud based mobile device, application and PC management solution from Microsoft. Intune help organizations to empower employees with access to corporate resources from anywhere on almost any device. While we empower our users to access corporate data from anywhere from any device that leave us to consider the data security as well to protect the confidentiality. Microsoft Intune conditional access gives us the capabilities to restrict the access to corporate data to ensure compliance and confidentiality.

Intune Conditional Access allow administrators to enforce compliance policies to devices before they can access emails or SharePoint online information to their device. Intune Conditional Access policies can restrict access to corporate information based on:

  • Device compliance status
  • Device operating system
  • Application type leverage to access the data

Below diagram depicts how the conditional access works in Microsoft Intune0When a user device will request the access to corporate data in Office 365, Intune will perform the following checks on the device.

  • Verify that the devices is targeted by a conditional policy or not.
  • Verify whether the device is being management by Intune or not, which requires the user to enroll the device with Intune and register the device with Azure AD
  • Verify the policies on device as per compliance policies configured and grant or deny access based on results

Intune conditional access requires Intune subscription and you can get the subscription as standalone or as part of Mobility suite

Intune conditional access configuration is a 2 step configuration. You have to configure a compliance policy and once the compliance policy is in place for devices, next step is to configure the conditional access policy.

Compliance policy includes common device settings like passcode, encryption, and whether or not a device is jailbroken. The device must meet these rules in order to be considered compliant.

Configure Conditional Access for Exchange Online

configuring conditional access for Exchange online requires you to complete the following steps.

  • Configure a Compliance Policy
  • Configure a Conditional Access Policy

Configure a Compliance Policy

To configure a compliance policy, perform the following steps.

  • Login to Microsoft Intune portal
  • Navigate to Policy > Compliance Policies and click on “Add” to create a compliance policy


  • Define the compliance policies and deploy the policy to the users.


Now, we have the compliance policy created and deployed, we are ready to configure Intune conditional access.

Configure Conditional Access for Exchange Online

To configure conditional access for Exchange online, navigate to Policies > Conditional Access > Exchange Online


  • Enable the Exchange online conditional access policy

2Once the Exchange online policy is enabled, define the conditional access policies based on your security requirements.


Once the conditional access is configured, users will get an email regarding the change on what they have to do to use emails on their device. As i have configured the policy to restrict access to devices that are domain-joined. Domain-joined devices must be register with Azure AD for Intune to validate and grant access to users to access data otherwise users will get the following error on their machines.


Being a Consultant, I strongly recommend my customers to leverage Intune conditional access policies to secure their data access while empowering the users to access corporate data from anywhere at anytime.

Setup Intune Company Portal

To support the idea of BYOD (Bring Your Own Device), Companies deploy Microsoft Intune Company Portal to give access to corporate apps and resources to end users from anywhere. Microsoft Intune Company Portal helps end user to access corporates resources, install company apps, view IT contact information, view, manage, uneroll your devices.

Below are the steps To Setup Intune Company Portal to empower your end users to work from anywhere.

Setup Intune Company Portal

  • Add the required information in Company Portal and click on Save.

Setup Intune Company Portal Setup Intune Company Portal

Now, our company portal for and is setup. Users can access company portal by downloading “Company Portal” app from smartphone store. They can enroll their devices with Intune and can see the information of their IT department for support.

Users enrolling their devices to Intune using Smartphone requires a credentials from IT department (domain credentials)

  • To open Microsoft Intune Company Portal page, go to

Add Custom Domain in Intune

Microsoft Intune is leverging Azure Active Directory on the backend for user and domain management like Office 365. Azure Active Directory comes with a built-in domain name in the form of that allows you to get started using Microsoft services.

As companies are looking towards Intune for their Mobile Device and App Management solution. Microsoft gives you the ability to add your own custom domain with Intune to simplify the sign-in experience for end user with cloud services. It’s recommended to use a custom domain name with Azure Active Directory if you’re using Microsoft cloud services like Intune, Office 365 or Azure.

Follow the following steps to add custom domain in Intune tenant.

As of this time Intune Account Portal is merging with Office 365. Probably after 6 months down the road this most may or may not be valid

  • Login using your admin credentials when you spun up the Intune tenant. If you do not have a trial tenant, you can setup one using the steps mentioned here
  • Click on Domains to add a custom domain


  • Under Domains, Click on Add a Domain


  • Enter the name of your customer domain and click on Next


Registering a domain need only be set up once for Microsoft Online services. If your organization is already using Microsoft some other Microsoft Online Service, then your organization’s registered domain may be ready for use with Microsoft Intune. If you register a domain for Microsoft Intune, then it will be available for your other Microsoft Online services.

  • On next page, you’ll be asked to verify the ownership of your domain by entering a TXT record in  your public DNS registrar


  • Once the record is added in public DNS, Click on Verify button on Domain Verification page
  • Once the domain is verified, Click on Next page to finish the process.

Setup Intune Tenant

Microsoft Intune provides IT Administrator the capabilities to manage mobile device, application and PC management capabilities from the cloud. With the help of Microsoft Intune, you can allow your end users to access corporate information securely from anywhere from any device.

Microsoft Intune provides you the capabilities to manage your Mobile devices, Application and PC management.

Follow the following steps to Setup Intune tenant for your organization.

  • Go to Intune Sign up Page to sign up for trial tenant
  • Enter the required information as shown below


  • Create your ID and make sure you’ve a unique tenant ID for Intune.


  • Prove yourself as a human by providing the appropriate information either using Text me or Call me option.

3 4

  • Once you prove your identitiy, save the information of your Intune tenant.


  • You’re done with your trial tenant setup of Intune. Start managing your Intune tenant using Intune management tenant.