Conditional Access Configuration Example — Tailspin Toys Corporation
Scenario Overview
Tailspin Toys Corporation is a mid-sized toy manufacturer with offices in Denver, Dallas, and Phoenix. The company uses Microsoft 365 Business Premium, with users accessing email and documents through Exchange Online and SharePoint Online.
To improve security and ensure compliance, the IT department wants to enforce access controls so that only managed and compliant devices can access Exchange Online. The goal is to implement a Conditional Access policy that checks both device compliance and platform type before granting access.
Objective
Create a Conditional Access policy named “Tailspin Secure Exchange Access” that:
- Targets users in the SalesDepartment security group.
- Applies to the Exchange Online cloud app.
- Grants access only to Intune-compliant or Hybrid Azure AD-joined devices.
Step 1: Create the Conditional Access Policy
- Sign in to the Microsoft Entra admin center at https://entra.microsoft.com.
- Go to Protection → Conditional Access → Policies → New Policy.
- Enter the name Tailspin Secure Exchange Access.
- Leave State as Report-only initially (for testing).
Step 2: Assign Users and Groups
- Under Assignments → Users and groups:
- Include: Select SalesDepartment.
- Exclude: Choose global admin and emergency accounts (e.g.,
admin@tailspintoys.com).
🧠 Tip: Always exclude at least one global administrator to prevent lockout during misconfiguration or policy testing.
Step 3: Assign Cloud App
- Under Assignments → Cloud apps or actions:
- Select Include → Select apps → Exchange Online.
This restricts the policy specifically to email and calendar access, avoiding unnecessary blocks on unrelated services.
Step 4: Configure Key Conditions
Two key settings need to be configured under Conditions to enforce device compliance and coverage across all platforms.
1. Device Platforms
- Navigate to Conditions → Device platforms.
- Toggle Configure to Yes.
- Select Include → Windows, macOS, iOS, Android.
⚙️ Purpose: Ensures the policy applies across all device types Tailspin’s workforce uses — from office laptops to field tablets and smartphones.
2. Device State (Preview)
- Navigate to Conditions → Device state (preview).
- Toggle Configure to Yes.
- Under Include, select:
- ✅ Device Hybrid Azure AD joined
- ✅ Device marked as compliant
🔒 Purpose: This condition ensures that only Intune-enrolled and compliant devices (or those joined to on-prem AD and synced to Azure AD) can access Exchange Online.
Devices not meeting these conditions will be blocked by default.
Step 5: Configure Access Controls
Under Access controls → Grant:
- Select Grant access.
- Check both options:
- ✅ Require device to be marked as compliant
- ✅ Require Hybrid Azure AD joined device
- Choose OR under “Require one of the selected controls”.
💡 Why use OR?
It allows flexibility: Intune-managed devices or hybrid-joined laptops can both gain access, accommodating Tailspin’s mixed environment.
Step 6: Session Control (Optional)
For organizations that allow limited access from personal devices, you can use Session Controls:
- Enable Use Conditional Access App Control (Defender for Cloud Apps) for real-time session monitoring.
- Restrict download actions for unmanaged devices if users must view email via browser.
Example: Allow viewing email in Outlook on the web but block attachments from being downloaded to unmanaged devices.
Step 7: Enable and Test the Policy
- Toggle the policy to Report-only mode first to evaluate impact.
- After verifying expected results in the Sign-in logs, switch Enable policy → On.
- Monitor results via Conditional Access → Insights and Reporting.
Step 8: Validation
- Test 1: Use a compliant Intune-enrolled Windows laptop. Access Exchange Online — should be successful.
- Test 2: Use a personal Android phone not enrolled in Intune. Access should be blocked.
- Test 3: Use a Hybrid Azure AD-joined desktop. Access should be granted.
Check audit logs under:
- Entra ID → Monitoring → Sign-in logs
- Filter by Conditional Access results for policy verification.
Expected Outcome
Once Device State and Device Platform conditions are configured:
- Only users in SalesDepartment can access Exchange Online.
- Access is restricted to Intune-compliant or Hybrid Azure AD-joined devices.
- Noncompliant or unmanaged devices are denied access automatically.
- The policy enforces Zero Trust principles, verifying both identity and device health before granting access.
Summary Table
| Configuration Area | Setting | Purpose |
|---|---|---|
| Users and Groups | SalesDepartment | Restrict policy to specific user group |
| Cloud App | Exchange Online | Target email and calendar access |
| Device Platforms | Windows, macOS, iOS, Android | Apply to all device types |
| Device State | Hybrid Azure AD joined / Compliant | Allow managed, secure devices |
| Access Control | Require compliance or hybrid join | Enforce endpoint health |
| Enable Policy | On (after testing) | Apply organization-wide |
Conclusion
By configuring these two additional settings — Device Platforms and Device State — Tailspin Toys successfully restricts Exchange Online access to compliant and managed devices.
This policy improves security, supports regulatory compliance, and aligns with Microsoft’s Zero Trust architecture by verifying both the user’s identity and the security posture of their device before granting access to corporate resources.
