Windows 10 Conditional Access with Azure AD Join Intune MDM Auto Enrollment? Windows 10 conditional access is a great feature for BYOD scenarios. We wanted to provide BYOD users an OOBE (Out Of Box Experience) with AAD join and Intune auto-enrollment.
Once the user can log in with their cooperate credentials (using AAD login) to the brand new device which is not joined to on-prem AD and the device is a complaint as per corp security policies. The user should allow access to corps mail without any blockage (or without any VPN connection).
We struggled a lot to get this working for Windows 10 RTM version 10240. The conditional access didn’t work with the RTM version of Windows 10. Conditional Access worked well with Windows 10 versions 10175 and TH2 10586.
We tested Windows 10 conditional access with different AAD + MDM (Intune) join scenarios. From the tenant side (Intune console), we have enabled Conditional Access for Exchange online, as noted in the below screen capture.
Windows 10 Conditional Access with Azure AD Join Intune MDM Auto Enrollment
More details about Azure AD Join here (Azure AD Join: What happens behind the scenes?).
Windows 10 Conditional Access with Azure AD Join Intune MDM Auto Enrollment?
We wanted to give BYOD users an OOBE (Out Of Box Experience) with AAD join and Intune enrollment. Once the users can log in with their cooperate credentials and the device is a complaint, they should be able to access corps data/mail without any blockage.
We can confirm whether the device is successfully joined to AAD and enrolled in MDM (Intune) by checking the work access option on the setting page of the Windows 10 device.
To secure the corp environment data, we need to ensure the compliance policies are applied to the Windows 10 device. We will get a popup stating to enforce these policies once Intune tries to apply compliance policies on the device. Once MDM (Intune) policies are applied on the Windows 10 device, we may get mail access.
When we are using Office 2013 on Windows 10 machine for conditional access, then you need to enable modern authentication for Outlook. Using registry keys mentioned in the following document here, we need to enable Modern Authentication. Modern authentication is enabled for Office 2016 (outlook 2016), so the conditional access for Windows 10 with AAD and Intune will work seamlessly for the office 2016 version.
When you are using a native mail application (of Windows 10) for corporate mail access, then you don’t need to make any special settings. The default mail app in Windows 10 will work along with conditional access.
Resources
Learn Microsoft Intune Related Posts Real World Experiences (anoopcnair.com)
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…