Configure Conditional Access policy to enforce users to install Company Portal before login to Outlook, Teams (M365 apps)
Suppose, your client requirement is to force their employees to enroll their personal device (or say install company portal) before they can access company resources like Microsoft 365 a.k.a Office 365 for eg Outlook, Teams and all other Office apps. This is where you will need to create Conditional Access(CA) policy. In this post, We will learn about how to create CA policy to enforce users to enroll their Android or iOS device. To learn more about CA Policy, please refer to this Microsoft link.
End user UPNs should have following license in order to apply Condtional Access policy.
- Azure AD Premium P1 or P2
- Microsoft Intune
For Azure - Navigate to Azure Active Directory > Security > Conditional Access.
For Intune - Navigate to Devices > Conditional Access under Policy.
Step 3. Select New policy.
Step 4. Provide meaningful policy name.
Step 5. Under Assignments, select Users and groups. Under Include, select All users or the specific set of Users and groups.
Note: You can add users in Exclude section for whom you don’t want to enforce device enrollment. However, this is not recommended by Microsoft.
Step 6. Under Cloud apps or actions > Include, select Office 365.
Step 7. Under Conditions, select Device platforms. * Set Configure to Yes. * Include Android and iOS
Step 8. Under Access controls > Grant, select Require device to be marked as compliant.
Step 9. Confirm your settings and set Enable policy to On. Step 10. Select Create.
- Condtional Access - Microsoft article for Conditional Access understanding.
- Require device enrollment for mobile devices - Microsoft article for this CA policy.
- Common Conditional Access Scenerios - Microsoft article for common CA scenerios.
Keep learning & keep sharing the helpful posts with your friends !!