Satish Halgi

IT Support / Service Desk Analyst

2 minute read

Intune Conditional Access & Endpoint Security Implementation

Project Overview

This project demonstrates the implementation of Microsoft Intune to secure Windows endpoints, enforce device compliance, and restrict access to corporate cloud resources using Conditional Access. The solution follows Zero Trust principles by ensuring only compliant and authorized devices can access organizational applications.

PHASE 1: Intune Security & Conditional Access Implementation

Microsoft Intune was implemented to manage and secure Windows devices by applying compliance policies, deploying endpoint security baselines, and enforcing Conditional Access controls. This implementation ensures devices meet security requirements before accessing corporate resources.

PHASE 2: Lab Environment & Prerequisites

  • Windows 11 VM (Pro, 22H2 or later)
  • Microsoft Entra ID (Azure AD) tenant with administrator privileges
  • Microsoft Intune subscription (Microsoft 365 E3/E5 or trial)
  • Test user account in Entra ID
  • Security group: Corporate Users

PHASE 3: Entra ID Group Configuration

  • Signed in to the Microsoft Entra Admin Center
  • Created a security group with the following configuration:
    • Name: Corporate Users
    • Type: Security
    • Membership: Assigned
  • Added test user accounts to the group for policy assignment

PHASE 4: Device Compliance Policy Deployment

  • Navigated to Microsoft Endpoint Manager Admin Center
  • Created a Windows compliance policy (Windows 10 and later)
  • Configured compliance requirements:
    • BitLocker encryption enabled
    • Microsoft Defender antivirus enabled
    • Windows Firewall enabled
    • Minimum OS version: Windows 11 22H2
  • Assigned the policy to the Corporate Users group

PHASE 5: Endpoint Security Baseline Configuration

  • Navigated to Endpoint Security → Security Baselines
  • Deployed the Microsoft Defender for Endpoint Security Baseline
  • Configured baseline settings:
    • Real-time protection enabled
    • Network protection enabled
    • Automatic security updates enforced
  • Assigned the baseline to the Corporate Users group

PHASE 6: Conditional Access Policy Enforcement

  • Navigated to Entra Admin Center → Security → Conditional Access
  • Created a Conditional Access policy:
    • Name: Require Compliant Device for Cloud Apps
  • Policy configuration:
    • Users: Corporate Users
    • Cloud apps: All cloud apps (or selected Microsoft 365 apps)
    • Device platform: Windows
  • Access control:
    • Require device to be marked as compliant
  • Enabled the policy

PHASE 7: Validation & Testing

  • Logged into the Windows 11 VM using the test user account
  • Attempted access to Microsoft 365 applications (Teams, SharePoint, Outlook Web)
  • Confirmed access was blocked when the device was non-compliant
  • Verified access was granted after compliance requirements were met

PHASE 8: Monitoring & Compliance Reporting

  • Reviewed device compliance status in Endpoint Manager → Devices → Monitor
  • Verified policy deployment and compliance reporting
  • Reviewed remediation actions for non-compliant devices

PHASE 9: Optional Automation & Remediation

  • Enabled automatic remediation actions for non-compliant devices
  • Configured user notifications and access blocking until compliance is achieved

Results

  • Devices are securely enrolled and managed using Microsoft Intune
  • Compliance policies enforce encryption, firewall, and antivirus protection
  • Endpoint security baselines standardize Microsoft Defender configurations
  • Conditional Access ensures only compliant devices can access corporate resources

Technologies Used

  • Microsoft Intune
  • Microsoft Entra ID (Azure AD)
  • Conditional Access
  • Microsoft Defender for Endpoint
  • Windows 11

You May Also Enjoy

SaaS Application Access Hardening

1 minute read

Overview Implemented secure access controls for SaaS applications to ensure only authorized users on compliant devices could access company resources.