Small and midsized businesses face the same cyber risks as large enterprises, but without the luxury of big security teams. One of the most effective, low‑effort ways to protect your Microsoft 365 environment is to ensure that only trusted, healthy, and secured devices can connect.

Microsoft gives SMBs this capability natively through Intune device compliance policies and Conditional Access in Microsoft Entra ID. These two tools work hand‑in‑hand: Intune evaluates whether a device meets your security requirements, and Conditional Access blocks anything that doesn’t.

Below is a clear, step‑by‑step walkthrough showing how to prepare Intune and then enforce secure access using Conditional Access.

Prerequisites

To use device compliance policies, the environment must include:

• Microsoft Intune

• Microsoft Entra ID P1 or P2, if Conditional Access will enforce compliance

Compliance policies can be created for:

• Android Device Administrator

• Android AOSP

• Android Enterprise

• iOS/iPadOS

• Linux (Ubuntu Desktop 22.04 LTS or 24.04 LTS)

• macOS

• Windows

Create Device Compliance Policies for Each Platform

Before building a Conditional Access policy, Intune must be configured with the right compliance foundations. Device compliance rules determine whether a device meets the requirements to be considered secure. These rules can include OS updates, encryption, password requirements, threat levels, jailbreak/root detection, and more.

Steps to create a compliance policy:

1. Go to Devices → Compliance → Create policy

2. Select a supported platform

3. Configure compliance rules

4. Assign the policy to users or device groups

5. Monitor results under Reports → Device compliance → Reports

These policies provide the compliance evaluation that Conditional Access later enforces.

Create the Conditional Access Policy to Require Compliant Devices

With Intune fully prepared, Conditional Access can now enforce access restrictions based on compliance status. The steps below follow the Conditional Access tutorial for device compliance.

Follow these steps to set up a Conditional Access policy that requires compliant devices:

1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.

2. Browse to Entra ID → Conditional Access → Policies.

3. Select New policy.

4. Give your policy a clear, meaningful name to fit your organization’s naming standards.

5. Under Assignments, select Users or workload identities.

6. Under Include, select All users.

7. Under Exclude:

   • Select Users and groups

   • Choose your organization’s emergency access or break‑glass accounts

   • If your environment uses hybrid identity with Entra Connect or Cloud Sync, also select Directory roles, then choose Directory Synchronization Accounts

8. Under Target resources → Resources (formerly cloud apps) → Include, select All resources.

9. Under Access controls → Grant:

   • Select Require device to be marked as compliant

   • Select Select to confirm

10. Review your settings, then set Enable policy to Report‑only.

11. Select Create to enable the policy in report‑only mode.

12. After confirming the behavior in report‑only mode, switch Enable policy from Report‑only to On.

Implementing this configuration to require compliant devices ensures only secure, trusted endpoints gain access to your Microsoft 365 environment.

Why This Matters for SMBs

Requiring compliant devices provides a high‑impact layer of protection:

• Blocks access from unmanaged or risky endpoints

• Enforces encryption, OS version, antivirus, password standards, and more

• Reduces chances of data leakage

• Aligns with Zero Trust principles

• Improves IT oversight with minimal administrative overhead

This control delivers strong, scalable security without adding complexity.

By preparing device compliance in Intune and enforcing it with Conditional Access, SMBs gain a powerful security barrier that keeps data safe and access tightly controlled. This combination ensures that only healthy, secure, and trusted devices reach your Microsoft 365 environment.

If your organization needs help implementing these controls or reviewing your current setup, our team can handle the entire process for you—from policy design to full deployment. We specialize in securing SMB Microsoft 365 environments and can help you get these protections in place quickly and correctly.