Azure | Intune: Require device enrollment for iOS and android devices

Published on: September 1, 2021 | Reading Time: 2 min | Last Modified : September 1, 2021

Configure Conditional Access policy to enforce users to install Company Portal before login to Outlook, Teams (M365 apps)


Suppose, your client requirement is to force their employees to enroll their personal device (or say install company portal) before they can access company resources like Microsoft 365 a.k.a Office 365 for eg Outlook, Teams and all other Office apps. This is where you will need to create Conditional Access(CA) policy. In this post, We will learn about how to create CA policy to enforce users to enroll their Android or iOS device. To learn more about CA Policy, please refer to this Microsoft link.

License Requirement

End user UPNs should have following license in order to apply Condtional Access policy.

  1. Azure AD Premium P1 or P2
  2. Microsoft Intune

Required Steps:

Step 1. Sign in to the Azure or MEM. (with any one of these rights- global administrator, security administrator or Conditional Access administrator).

Step 2.

For Azure - Navigate to Azure Active Directory > Security > Conditional Access.

For Intune - Navigate to Devices > Conditional Access under Policy.

Step 3. Select New policy.


Step 4. Provide meaningful policy name.

Step 5. Under Assignments, select Users and groups. Under Include, select All users or the specific set of Users and groups.

Note: You can add users in Exclude section for whom you don’t want to enforce device enrollment. However, this is not recommended by Microsoft.

Step 6. Under Cloud apps or actions > Include, select Office 365.


Step 7. Under Conditions, select Device platforms. * Set Configure to Yes. * Include Android and iOS


Step 8. Under Access controls > Grant, select Require device to be marked as compliant.


Step 9. Confirm your settings and set Enable policy to On. Step 10. Select Create.


Keep learning & keep sharing the helpful posts with your friends !!