7.8 Device Compliance and Conditional Access

75 minutes · Module 7

Device Compliance and Conditional Access Integration

By the end of this subsection, you will understand how Defender for Endpoint feeds device risk into Intune compliance, and how the "require compliant device" conditional access policy blocks AiTM token replay.

This is where Modules 1, 4, 5, and 7 converge. The conditional access gap that allowed the AiTM attack in Module 13 is closed here.

The integration chain

Step 1: Defender for Endpoint assesses device risk (low, medium, high) based on active threats and vulnerabilities.

Step 2: Intune compliance policy includes “Require device threat level: clear or low.” A device with medium or high risk becomes non-compliant.

Step 3: Entra ID conditional access policy requires a compliant device for Exchange Online and SharePoint.

Step 4: Non-compliant device (or unenrolled device) is blocked from accessing M365.

Why this blocks AiTM token replay

In the Module 13 scenario, the attacker replayed a stolen token from an unmanaged device. The token contained a valid MFA claim — conditional access requiring MFA was satisfied. But the attacker’s device was not enrolled in Intune. With a “require compliant device” policy:

The attacker presents the stolen token to Exchange Online
Conditional access evaluates: is the device compliant?
The device is not enrolled in Intune — automatic non-compliance — blocked
The MFA claim in the token is irrelevant — device compliance is the enforcement point

This single control eliminates the entire AiTM attack chain for covered applications

Phishing-resistant MFA (FIDO2) prevents AiTM by design but requires hardware procurement and user training. Device compliance is a configuration change deployable immediately. It blocks token replay from any device not in your Intune inventory. Deploy this first, then plan FIDO2 for defense in depth.

Intune compliance policy configuration

Navigate to Intune admin center -> Devices -> Compliance policies -> Create policy
Platform: Windows 10 and later
Compliance settings:
- Device Health: Require device threat level = “Clear” or “Low”
- System Security: Require BitLocker encryption = Yes
- System Security: Require firewall = Yes
- System Security: Require antivirus = Yes
- System Security: Require antispyware = Yes
Actions for noncompliance: Mark noncompliant immediately (or 1-day grace period for rollout)
Assign to All Users or a pilot group

Conditional access policy configuration

Navigate to Entra ID -> Conditional Access -> Create new policy
Name: “Require compliant device for M365 apps”
Users: All users (exclude emergency access accounts)
Cloud apps: Exchange Online, SharePoint Online, Microsoft Teams
Conditions: All device platforms
Grant: Require device to be marked as compliant
Session: Sign-in frequency = 12 hours (forces periodic re-evaluation)
Enable policy (start with Report-only for 1 week, then enforce)

Prepare for the help desk impact

When this policy goes live, every user on a personal phone or unenrolled laptop is blocked from email. Communicate the change 2 weeks before enforcement. Provide Intune enrollment instructions. Consider a phased rollout: pilot group first, then department by department. The 1-week report-only period shows you exactly who would be blocked.

Verification query

1
2
3
4
5
6
7
8
SigninLogs
| where TimeGenerated > ago(7d)
| where ConditionalAccessStatus == "failure"
| mv-expand CAPolicy = parse_json(ConditionalAccessPolicies)
| where tostring(CAPolicy.displayName) has "compliant device"
| where tostring(CAPolicy.result) == "failure"
| summarize BlockedCount = count() by bin(TimeGenerated, 1d)
| sort by TimeGenerated asc

Expected Output

TimeGenerated (day)	BlockedCount
2026-03-15	34
2026-03-16	28
2026-03-17	41

What to look for: Daily blocked sign-ins confirm the policy is active. Investigate who is being blocked: legitimate users on personal devices (need enrollment), service accounts (may need exclusion), or attacker token replays (investigate the source IP). Zero blocks means the policy may not be scoped correctly.

Try it yourself

Write a KQL query that shows which specific users are being blocked by the compliant device policy, grouped by user and showing their device platform and location. This helps you identify who needs enrollment assistance vs who might be an attacker.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
SigninLogs
| where TimeGenerated > ago(7d)
| where ConditionalAccessStatus == "failure"
| mv-expand CAPolicy = parse_json(ConditionalAccessPolicies)
| where tostring(CAPolicy.displayName) has "compliant device"
| where tostring(CAPolicy.result) == "failure"
| extend OS = tostring(DeviceDetail.operatingSystem)
| extend Country = tostring(LocationDetails.countryOrRegion)
| summarize
    BlockCount = count(),
    Platforms = make_set(OS),
    Countries = make_set(Country),
    LastBlocked = max(TimeGenerated)
    by UserPrincipalName
| sort by BlockCount desc

Users blocked from known countries on iOS/Android are likely employees on personal phones needing enrollment. Users blocked from unexpected countries on unknown platforms are investigation targets.

Check your understanding

1. An attacker replays a stolen token. The token has a valid MFA claim. "Require compliant device" is active. Result?

Blocked. The attacker's device is not in Intune, therefore non-compliant. Device compliance evaluates the physical device, not the token claims. MFA satisfaction is irrelevant when device compliance is the enforcement point.

Allowed — valid MFA claim

Prompted for additional MFA

This is the fundamental AiTM countermeasure. The token contains claims about authentication. The device is a physical object that must be enrolled and compliant. An attacker can steal claims but cannot make their device compliant.

2. After enabling the policy, 50 users on personal phones are blocked. Is this a misconfiguration?

No — the policy is working correctly. Personal phones are not enrolled in Intune, therefore non-compliant. This is the expected behavior. Solutions: enroll personal devices via Intune MAM, create app protection policies for mobile, or require corporate devices for email access. Communicate before enforcement.

Yes — exclude mobile devices

Yes — the policy should only block external IPs

The help desk impact is real but expected. The 1-week report-only period and pre-enforcement communication exist to manage this transition. The security benefit (AiTM blocked) outweighs the operational cost (enrollment support tickets).

← 7.7 Device Groups and RBAC 7.9 Threat and Vulnerability Management →