Endpoint Protection|Microsoft 365|Security

How to Create a Compliance Policy in Microsoft Intune

In this article, I’m going to show you how to create a compliance policy in Intune, Microsoft’s Mobile Device Management (MDM) solution, that restricts access to resources to cloud managed and compliant devices only.

Even if your devices are registered or joined to Azure Active Directory (AD), there are still risks that could lead to compromised devices gaining access to your Microsoft 365 tenant’s resources. Hence, it’s necessary to control which types of devices are allowed to access your resources and under what conditions they are permitted to connect. Here’s a high-level overview of the entire process:

The first step to create a policy for each device platform in the Endpoint Manager portal. For example, Android devices and/or Windows devices. You choose which controls will be enforced in the policy. For instance, you could opt to block rooted Android devices. Next, define the actions for non-compliance and assign the policy to users. And then, create a template for email notifications, informing users that their device has been blocked. Finally, you specify remediation actions for non-compliant devices.

Create a compliance policy with Microsoft Intune (all platforms)

Let’s take a brief look at some examples of compliance policies that an admin may want to configure in the Endpoint Manager portal. Here you will create a new compliance policy to handle personally owned Android devices.

Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

  1. Go to Devices > Compliance Policies in the Endpoint Manager portal and click Create Policy.

Create a new compliance policy in Microsoft Intune
Create a new compliance policy in Microsoft Intune


2. The next step is to configure the settings that will determine whether a device is allowed to connect.

Choose the settings that determine whether a device is allowed to connect.
Choose the settings that determine whether a device is allowed to connect.

Choose which controls to apply in your compliance policy

You can define various controls here and we will look at a few of them:

  • Machine level risks – Defender for Endpoint provides individual device level risks. So, you can leverage that by defining a lower limit for that.
  • Rooted Devices – These can be blocked as they pose a security threat.
  • Minimum OS version – Some OS versions may have become obsolete; hence, such devices won’t receive the latest security patches or upgrades. It’s essential to avoid devices with outdated operating systems.
  • Device Password – You must enforce the use of passwords to unlock devices.
  • Encryption – If you want data to be encrypted on devices.

Under Device security there are more settings like ‘Block apps from unknown sources’ and ‘Company portal app integrity check’, which can also be configured.

Define actions for non-compliance

Now you must decide what to do with non-compliant devices. You can view the basic actions configured in the screenshot here.

Choose the actions for non-compliant devices.
Choose the actions for non-compliant devices.

Next, assign this policy to users or groups.

Assign the compliance policy to users.
Assign the compliance policy to users.


On the final page you can review your selections and then create the policy. Likewise, you can create policies for iOS devices and for Windows or Mac OS.

Send email to non-compliant device owners automatically

It’s important to educate end users whenever their devices fail to meet the compliance standards. This can be done by sending emails to users. Here, we will see how you can create a template for such events.

  1. Click Notifications.

Create a new email notification template.
Create a new email notification template.

2. On the next tab, create a template.

Design your email notification template.
Design your email notification template.


3. And on the final page, review the settings and click Create to have email notifications enabled.

In the next section, you will learn how to use this template to send emails.

Create remediation actions for non-compliant devices in Intune

You have already seen how to create a remediation action while creating new compliance policies in Intune. You may even add more actions to those as seen here. As per the policy we created in this tenant, a non-compliant device owner gets a maximum of 10 days before the device is retired. They will receive an email alerting them as soon as their device becomes non-compliant. The device will also be marked as noncompliant right away. A push notification is sent to the user a week after this event.

Here, we also decide to send emails to owners of non-compliant devices using the template created in the previous section.

Choose the actions for non-compliant devices.
Choose the actions for non-compliant devices.


And that is it! Now you have a policy to control which devices can access your Microsoft 365 tenant.


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Vignesh hails from the city of Pune in India. He has been working in the IT industry for the past 10 years. His main areas of focus are Microsoft 365, Exchange Online, PowerShell, Teams, SharePoint, Microsoft 365 Security. Follow him on Twitter for the latest on Microsoft 365 @vignesh_mudliar and www.linkedin.com/in/vignesh-mudliar-86570915b
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: