Conditions

The Conditions section allows you to choose when your policy will apply. You can do this by specifying client sign-in risk, device platforms, locations, client apps, and device state requirements:

For example, you may wish to configure Conditions | Client apps (preview) when your company wants to enforce MAM, thereby disallowing copying and pasting from Outlook to other apps. By disabling Outlook access via the Browser, you can force users to use a client or mobile app in which you're able to enforce that MAM procedure:

Under Device state (preview), you can configure your policy so that it excludes devices that have been marked as compliant via one of the device compliance policies you configured in Intune:

You may be asked to create conditional access policies that meet a variety of needs. For example, you could create a conditional access policy based on the following requirements: 

• Network access control
• Device or sign-in risk
• Device compliance (platforms, OS version, personal versus corporate, and so on)
• Trusted locations versus untrusted locations
• Multi-factor authentication (MFA) setup

Based on these device and context characteristics (and many more), you can restrict access to on-premises emails, cloud apps and services, and even VPN access.

Now, we're ready to look at the Access controls section of the policy.