top of page
  • Hanna Korotka

Configuring and Enforcing Device Compliance Policies for HIPAA in Microsoft 365

HIPAA (Health Insurance Portability and Accountability Act) safeguards play a crucial role in ensuring the security of electronic protected health information (ePHI). Compliance with these safeguards is vital for healthcare organizations to protect patient data. This blog post explores how to configure and enforce compliance policies using Microsoft Intune and Microsoft Entra ID to meet HIPAA requirements.

Understanding HIPAA Compliance

HIPAA requires healthcare organizations to implement procedures for person or entity authentication, ensuring that only authorized individuals access ePHI. Here are some key aspects of compliance:

  1. Validating End User Claims: It is essential to verify that the person or entity seeking access to ePHI is indeed who they claim to be. This is a fundamental aspect of HIPAA's safeguards.

  2. Identifying and Mitigating Risks: Identifying and mitigating risks associated with data storage is critical. Healthcare organizations must remain vigilant in safeguarding ePHI from potential threats.

Conditional Access, combined with device compliance policies serves as the gatekeeper to your organization resources. The compliance status for devices is reported to Azure AD and conditional access uses that compliance status to determine whether to grant or block access to email and other organization resources.

Microsoft Intune Compliance Policies

Device Compliance Policy is platform-specific rules that define requirements for corporate devices, such as minimum operating system versions or security configurations.

To configure device compliance policies for Windows 10 and later and macOS devices, follow these steps:

1. Sign in to the Microsoft Intune admin center.

2. Select Devices > Compliance policies > Policies > Create Policy.

3. Specify the platform for your policy (Windows 10 and later or macOS) and provide a name and description for the policy.

4. Configure compliance settings, including device properties and security requirements specific to the chosen platform.

Important compliance settings for Windows 10 and later devices:

Device properties

Minimum OS version - 10.0.18363

System Security

Required password type - Device default

Require encryption of data storage on device - Required

Firewall - Required

Trusted Platform Module (TPM) - Required

Antivirus - Required

Antispyware - Required

Microsoft Defender Antimalware - Required

Real-time protection - Required

Important compliance settings for macOS devices:

Device Health

Require system integrity protection - Required

System Security

Required password type - Device default

Require encryption of data storage on device - Required

Firewall - Enabled

Stealth Mode - Disabled

Allow apps downloaded from these locations - macAppStoreAndIdentifiedDevelopers

5. Define actions for noncompliance, such as sending notifications or taking corrective measures.

You can add multiple actions and configure schedules and additional details for some actions.

For example, you might change the schedule of the default action Mark device noncompliant to occur after three day. You can then add an action to send an email to the user when the device isn't compliant to warn them of that status.

6. Assign the policy to specific user or device groups.

7. Review the settings and select Create when ready to save the compliance policy.

Set up Conditional Access Policy

In this guide we disable access to Microsoft 365 desktop apps for devices that marked as noncompliant.

1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.

2. Browse to Protection > Conditional Access.

3. Select Create new policy.

4. Give your policy a name. Microsoft recommend that organizations create a meaningful standard for the names of their policies.

5. Under Assignments, select Users or workload identities.

  • Under Include, select All users.

  • Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.

6. Under Target resources > Cloud apps > Include, click Select Apps, from the list os apps find and select Office 365.

7. Under Conditions > Device Platforms > Include select Windows and macOS;

Client apps > Configure 'Yes' > choose Mobile apps and desktop clients > Done

8. Under Access controls > Grant.

  • Select Require device to be marked as compliant, and Require Microsoft Entra hybrid joined device

  • For multiple controls select Require one of the selected controls.

  • Select Select.

9. Confirm your settings and under Enable policy, select On.

10. Select Create.


Configuring and enforcing compliance policies is a critical aspect of meeting HIPAA safeguards for ePHI. Microsoft Entra ID, in conjunction with Microsoft Intune, offers a robust solution to ensure that your managed devices adhere to the necessary security requirements. By following these steps and implementing compliance policies effectively, healthcare organizations can significantly enhance their data security and maintain HIPAA compliance.

To help you to have peace of mind knowing your business is secure, click here to schedule a Microsoft 365 Secure Score review with our experts today. We'll evaluate your current cybersecurity measures, identify potential vulnerabilities, and help you implement a strategic security plan to keep your company safe.

19 views0 comments


Get the Latest News to Your Inbox

bottom of page