Configure Conditional Access for Exchange Online

Introduction to Intune Conditional Access

Microsoft Intune is a cloud based mobile device, application and PC management solution from Microsoft. Intune help organizations to empower employees with access to corporate resources from anywhere on almost any device. While we empower our users to access corporate data from anywhere from any device that leave us to consider the data security as well to protect the confidentiality. Microsoft Intune conditional access gives us the capabilities to restrict the access to corporate data to ensure compliance and confidentiality.

Intune Conditional Access allow administrators to enforce compliance policies to devices before they can access emails or SharePoint online information to their device. Intune Conditional Access policies can restrict access to corporate information based on:

  • Device compliance status
  • Device operating system
  • Application type leverage to access the data

Below diagram depicts how the conditional access works in Microsoft Intune0When a user device will request the access to corporate data in Office 365, Intune will perform the following checks on the device.

  • Verify that the devices is targeted by a conditional policy or not.
  • Verify whether the device is being management by Intune or not, which requires the user to enroll the device with Intune and register the device with Azure AD
  • Verify the policies on device as per compliance policies configured and grant or deny access based on results

Intune conditional access requires Intune subscription and you can get the subscription as standalone or as part of Mobility suite

Intune conditional access configuration is a 2 step configuration. You have to configure a compliance policy and once the compliance policy is in place for devices, next step is to configure the conditional access policy.

Compliance policy includes common device settings like passcode, encryption, and whether or not a device is jailbroken. The device must meet these rules in order to be considered compliant.

Configure Conditional Access for Exchange Online

configuring conditional access for Exchange online requires you to complete the following steps.

  • Configure a Compliance Policy
  • Configure a Conditional Access Policy

Configure a Compliance Policy

To configure a compliance policy, perform the following steps.

  • Login to Microsoft Intune portal
  • Navigate to Policy > Compliance Policies and click on “Add” to create a compliance policy


  • Define the compliance policies and deploy the policy to the users.


Now, we have the compliance policy created and deployed, we are ready to configure Intune conditional access.

Configure Conditional Access for Exchange Online

To configure conditional access for Exchange online, navigate to Policies > Conditional Access > Exchange Online


  • Enable the Exchange online conditional access policy

2Once the Exchange online policy is enabled, define the conditional access policies based on your security requirements.


Once the conditional access is configured, users will get an email regarding the change on what they have to do to use emails on their device. As i have configured the policy to restrict access to devices that are domain-joined. Domain-joined devices must be register with Azure AD for Intune to validate and grant access to users to access data otherwise users will get the following error on their machines.


Being a Consultant, I strongly recommend my customers to leverage Intune conditional access policies to secure their data access while empowering the users to access corporate data from anywhere at anytime.