Windows 10 Conditional Access with Azure AD Join and Intune MDM Auto Enrollment

Windows 10 conditional access is great feature for BYOD scenarios. We wanted to provide BYOD users an OOBE (Out Of Box Experience) with AAD join and Intune auto enrollment. Once the user is able to login with their cooperate credentials (using AAD login) to the brand new device which is not joined to on prem AD and the device is complaint as per corp security policies then the user should allow to access corps mail with out any blockage (or without any VPN connect).We struggled a lot to get this working for Windows 10 RTM version 10240. The conditional access didn’t work with the RTM version of Windows 10. Conditional Access worked well with Windows 10 versions 10175 and TH2 10586. We tested Windows 10 conditional access with different kind of AAD + MDM (Intune) join scenarios. From the tenant side (Intune console), we have enabled Conditional Access for Exchange online as noted the below screen capture.

More details about Azure AD Join here (Azure AD Join: What happens behind the scenes?).

Windows 10-Conditional Access-AAD-MDM-7

We wanted to give BYOD users an OOBE (Out Of Box Experience) with AAD join and Intune enrollment. Once the users are able to login with their cooperate credentials and the device is complaint then should be able to access corps data/mail with out any blockage.Windows 10-Conditional Access-AAD-MDM-1We can get the confirmation whether the device is successfully joined to AAD and enrolled to MDM (Intune) by checking the work access option in the setting page of Windows 10 device.Windows 10-Conditional Access-AAD-MDM-2

To secure the corp environment data, we need to ensure the compliance policies are applied to the Windows 10 device. We will get a popup stating enforce these policies once Intune tries to apply compliance policies on the device. Once MDM (Intune) policies are applied on the Windows 10 device we may get mail access.

Windows 10-Conditional Access-AAD-MDM-4When we are using Office 2013 on Windows 10 machine for conditional access then you need to enable modern authentication for Outlook. Using registry keys mentioned in the following document here, we need to enable Modern Authentication. Modern authentication is by default enabled for Office 2016 (outlook 2016), so the conditional access for Windows 10 with AAD and Intune will work seamlessly for office 2016 version.

Windows 10-Conditional Access-AAD-MDM-6When you are using native mail application (of Windows 10) for corporate mail access then you don’t need to do any special setting.  The default mail app in Windows 10 will work along with conditional access.

Windows 10-Conditional Access-AAD-MDM-5

Sharing is caring!

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.