Help CenterMicrosoft Conditional Access and MAM Configuration Guide: A Step-by-Step Deployment and Enforcement Guide
Introduction
In the ever-evolving landscape of cybersecurity, safeguarding corporate data while enabling seamless access for users is paramount. Microsoft Intune's Conditional Access (CA) and Mobile Application Management (MAM) offer robust tools to enforce security policies and protect organizational data. This article provides a comprehensive guide on deploying and enforcing these policies, ensuring that your organization remains secure and compliant.
Create the Application Protection Policy
Sign in to Microsoft Intune Admin Center - Begin by navigating to the Microsoft Intune Admin Center and sign in with your Intune administrator account.
Navigate to App Protection Policies - Go to the 'Apps' section and select 'App protection policies.'
Create a New Policy - Click on ‘Create policy’ and choose the 'Windows' platform.
Configure Basic Details - Enter the necessary details, such as the policy's name and description, then proceed.
Select Apps to Target - Click on ‘Select apps’ and choose Microsoft Edge as the app to be protected under this policy.
Data Protection and Health Checks -vFollow your company’s policy to configure data protection and health checks.
Assign Users or Groups - In the Assignments step, designate the users or groups to be included or excluded from the policy.
Review and Create - Once everything is configured, click on 'Review and create' to finalize the policy.
Create the Conditional Access Policy
Sign in to Microsoft Entra Admin Center - Access the Microsoft Entra Admin Center using your administrator account.
Navigate to Conditional Access - Under the 'Protection' section, go to 'Conditional Access' and click on ‘Create new policy.’
Assign Users and Groups - Assign the same users and groups as targeted in the previous MAM policy to maintain consistency.
Select Target Resources - Click on 'Select apps' and include Office 365 and any other relevant applications.
Device Platform Configuration - Under Conditions, select 'Device platforms' and choose Windows as the target platform.
Client Apps Selection - In the 'Client apps' section, choose 'Browser' as the application to enforce the policy.
Device Filtering - Enable filtering to exclude devices that are marked as compliant by setting a rule: IsCompliant Equals True.
Grant Access Controls - Under the 'Grant' section, select the following controls:
- Require app protection policy
- Require device to be marked as compliant
- Require Microsoft Entra hybrid joined device
Make sure to select 'Require one of the selected controls.'
Enable and Create the Policy - Finally, enable the policy and click 'Create' to enforce the settings.
Enforcement
Scenario 1: Non-Edge Browser Access Attempt
When a user attempts to access resources using a non-Edge browser, they will receive a prompt requiring them to open Edge to continue. This ensures that only compliant browsers are used for accessing sensitive data.
Scenario 2: Non-Corporate Profile Access Attempt
If a user tries to access corporate resources from a non-corporate profile, they will be prompted to switch to the corporate profile. This measure ensures that corporate data is only accessed through managed profiles, further securing the organization’s assets.