Windows 10 Conditional Access with Azure AD Join Intune MDM Auto Enrollment? Windows 10 conditional access is a great feature for BYOD scenarios. We wanted to provide BYOD users an OOBE (Out Of Box Experience) with AAD join and Intune auto-enrollment.
Once the user is able to login with their cooperate credentials (using AAD login) to the brand new device which is not joined to on-prem AD and the device is a complaint as per corp security policies then the user should allow accessing corps mail without any blockage (or without any VPN connect).
We struggled a lot to get this working for Windows 10 RTM version 10240. The conditional access didn’t work with the RTM version of Windows 10. Conditional Access worked well with Windows 10 versions 10175 and TH2 10586.
We tested Windows 10 conditional access with different kinds of AAD + MDM (Intune) join scenarios. From the tenant side (Intune console), we have enabled Conditional Access for Exchange online as noted in the below screen capture.
Windows 10 Conditional Access with Azure AD Join Intune MDM Auto Enrollment
More details about Azure AD Join here (Azure AD Join: What happens behind the scenes?).
Windows 10 Conditional Access with Azure AD Join Intune MDM Auto Enrollment?
We wanted to give BYOD users an OOBE (Out Of Box Experience) with AAD join and Intune enrollment. Once the users are able to login with their cooperate credentials and the device is complaint then should be able to access corps data/mail with out any blockage.
We can get the confirmation whether the device is successfully joined to AAD and enrolled to MDM (Intune) by checking the work access option in the setting page of the Windows 10 device.
To secure the corp environment data, we need to ensure the compliance policies are applied to the Windows 10 device. We will get a popup stating to enforce these policies once Intune tries to apply compliance policies on the device. Once MDM (Intune) policies are applied on the Windows 10 device we may get mail access.
When we are using Office 2013 on Windows 10 machine for conditional access then you need to enable modern authentication for Outlook. Using registry keys mentioned in the following document here, we need to enable Modern Authentication. Modern authentication is by default enabled for Office 2016 (outlook 2016), so the conditional access for Windows 10 with AAD and Intune will work seamlessly for office 2016 version.
When you are using native mail application (of Windows 10) for corporate mail access then you don’t need to do any special setting. The default mail app in Windows 10 will work along with conditional access.