AD3.5 Integrating Compliance with Conditional Access

Pre-enforcement verification

Before changing CA003 from report-only to enforced, run these four checks:

Check 1 — Compliance rate. Navigate to intune.microsoft.com → Devices → Compliance → Monitor → Device compliance status. Your compliance rate should be 95%+ across all platforms. If it's below 95%, the remaining 5%+ will be locked out on enforcement day — remediate before proceeding.

Check 2 — Report-only impact. Navigate to entra.microsoft.com → Monitoring → Sign-in logs. Add a filter for "Conditional access: Report-only: Failure" and filter for CA003 specifically. This shows every sign-in that WOULD have been blocked if CA003 were enforced. Review the list: are the "would-be-blocked" sign-ins from non-compliant corporate devices (needs remediation) or from personal devices (needs app protection policy)?

Run this in PowerShell for a summary:

Connect-MgGraph -Scopes "AuditLog.Read.All"
$start = (Get-Date).AddDays(-7).ToString("yyyy-MM-ddTHH:mm:ssZ")
Get-MgAuditLogSignIn -Filter "createdDateTime ge $start" -Top 500 |
    Where-Object {
        $_.ConditionalAccessPolicies | Where-Object {
            $_.DisplayName -like "*CA003*" -and $_.Result -eq "reportOnlyFailure"
        }
    } | Group-Object UserPrincipalName |
    Select-Object Name, Count |
    Sort-Object Count -Descending

Each user in this output will be blocked when you enforce CA003. Contact them before enforcement. If the list is 3-5 users, handle them individually. If it's 20+, there's a systemic gap to fix first.

Check 3 — Break-glass verification. Sign in with a break-glass account from a personal (non-enrolled) device. The sign-in should succeed — break-glass accounts must be excluded from CA003. If the break-glass account is blocked, fix the exclusion BEFORE enforcing for all users.

Check 4 — App protection policies. For BYOD users who will access M365 through app protection policies instead of device compliance, verify the policies are deployed and working. Have a BYOD user open Outlook on their personal phone and confirm the app protection is active (Settings → Organization data shows "Managed by your organization").

Modifying CA003 for enforcement

Navigate to entra.microsoft.com → Protection → Conditional Access → Policies → CA003 (Require Compliant Device — Core Apps).

Before changing the enable state, make one modification to the Grant controls. Change the grant from "Require device to be marked as compliant" to "Require device to be marked as compliant" OR "Require app protection policy." Select "Require one of the selected controls." This allows both paths: compliant corporate devices access through device compliance, BYOD devices access through app protection policies.

Now change "Enable policy" from "Report-only" to "On."

Click "Save."

From this moment, every sign-in to Exchange Online, SharePoint, and Teams is evaluated against CA003. The device must be either Intune-compliant or using an app-protected application. Sign-ins from unmanaged devices without app protection are blocked.

Testing after enforcement

Run three tests immediately:

Test 1 — Compliant corporate device. Sign in from your enrolled, compliant laptop. Access Outlook, SharePoint, and Teams. All should work. Check the sign-in log: CA003 should show "Success" with "Grant control: Require compliant device: Satisfied."

Test 2 — Personal device. Sign in from a personal device that isn't enrolled in Intune. Try to access Outlook on the web. You should see an error page explaining that the device doesn't meet security requirements. If you have the Outlook app with app protection, try that — it should work because the app protection policy satisfies the alternative grant control.

Test 3 — Break-glass account. Sign in with a break-glass account from a personal device. It should succeed without a compliance check because break-glass accounts are excluded from CA003.

If all three tests pass, enforcement is working correctly. Monitor the sign-in log for the next 2 hours for any unexpected blocks.

Monitoring CA003 enforcement in real-time

During the first 48 hours after enforcement, actively monitor the sign-in log for CA003 blocks. Use this PowerShell query to get a live view of blocked sign-ins:

Connect-MgGraph -Scopes "AuditLog.Read.All"

# Get CA003 failures in the last 2 hours
$cutoff = (Get-Date).AddHours(-2).ToString("yyyy-MM-ddTHH:mm:ssZ")
$signIns = Get-MgAuditLogSignIn -Filter "createdDateTime ge $cutoff and status/errorCode ne 0" -Top 100

$caBlocks = $signIns | Where-Object {
    $_.ConditionalAccessPolicies | Where-Object {
        $_.DisplayName -like "*CA003*" -and $_.Result -eq "failure"
    }
}

$caBlocks | Select-Object CreatedDateTime, UserPrincipalName,
    @{N="Device";E={$_.DeviceDetail.DisplayName}},
    @{N="OS";E={$_.DeviceDetail.OperatingSystem}},
    @{N="Compliant";E={$_.DeviceDetail.IsCompliant}},
    @{N="Managed";E={$_.DeviceDetail.IsManaged}} |
    Format-Table -AutoSize

Each row is a user who was blocked by CA003. Check the "Compliant" and "Managed" columns. If IsCompliant = False and IsManaged = True, the device is enrolled but failing a compliance check — help the user remediate (AD3.7). If IsManaged = False, the device isn't enrolled — either it's a personal device (needs app protection) or a corporate device that was never enrolled (needs enrollment).

If you see the same user blocked repeatedly over 2 hours, they're stuck. Call them proactively — don't wait for them to figure it out or call the helpdesk. This proactive response during the first 48 hours prevents frustration and builds confidence in the compliance enforcement.

Fallback: browser-only access for emergency situations

Even with CA003 enforced, you may need a fallback for emergency situations — a user whose device is broken and needs email access immediately from a colleague's computer or a public terminal.

Configure a separate conditional access policy (CA004) that allows browser-only access to Outlook on the web from any device, but with restrictions. Navigate to entra.microsoft.com → Protection → Conditional Access → New policy:

Name: "CA004 — Browser Fallback with Session Controls" Users: All users (except break-glass) Cloud apps: Exchange Online Conditions: Client apps → Browser only Grant: Allow access Session controls: App enforced restrictions → enable (this applies Outlook on the web policies that block downloads, printing, and forwarding)

This gives users a read-only browser experience when they can't access from a compliant device. They can read and reply to email but can't download attachments or forward to personal accounts. It's a pragmatic middle ground that prevents "I'm completely locked out" scenarios while maintaining data protection.

Note: this CA004 policy should only be created if your organization needs the fallback. If your users always have their corporate laptop available, you don't need it. If you have remote workers, traveling executives, or shared workspaces, the browser fallback prevents edge cases from becoming helpdesk emergencies.

What the blocked user sees — and what to tell them

When CA003 blocks a sign-in, the user sees one of two error pages depending on their client:

Outlook desktop or mobile app: "You can't get there from here" or "Your sign-in was successful but your admin has required the device requesting access to be managed." The error page includes a "More details" link that shows the CA policy name (CA003) and the specific grant control that failed (device compliance).

Browser (Outlook Web, SharePoint, Teams web): A similar error page with the option to sign out and try from a different device. If you've configured CA004 (browser fallback with session controls), the user may be able to access OWA in restricted mode from the same browser — depending on the CA policy evaluation order.

Prepare a short FAQ for users before enforcement day:

"Q: I see 'You can't get there from here' when I try to access email. What do I do? A: Your device doesn't meet our security requirements. Open the Company Portal app on your laptop — it shows exactly which requirement isn't met and how to fix it. Most issues (Windows Update needed, antivirus update needed) take 5-15 minutes to resolve. If you need immediate email access, use the Outlook app on your phone. For help, contact the helpdesk at [number]."

Post this FAQ on your intranet before enforcement day. Send it in the enforcement announcement email. The clearer the self-help instructions, the fewer helpdesk calls on day one.