Conditional Access is Microsoft's [Zero Trust policy engine](https://learn.microsoft.com/en-us/security/zero-trust/deploy/identity) taking signals from various sources into account when enforcing policy decisions. # Deploying Conditional Access ## Using [[Microsoft Graph]] [conditionalAccessRoot resource type - Microsoft Graph v1.0 | Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/resources/conditionalaccessroot?view=graph-rest-1.0) # Scratch Notes - Access to internal resources can be limited to a "compliant device" nee ### Considerations - Protecting "compliant devices" - Can non-Windows devices be "compliant devices", how does this affect users that want to use their phone. - If we decide to start using [[Enterprise Mobility Management (EMM)]] to protect email/data on mobile devices we would also want a policy to prevent access from any other mail client ([[Exchange ActiveSync]]. - We would also want a blog post explaining why we chose to do this. - [Securing Outlook for iOS and Android in Exchange Online](https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/secure-outlook-for-ios-and-android#leveraging-enterprise-mobility--security-suite-to-protect-corporate-data-with-outlook-for-ios-and-android) ### Account Driven User Enrollment [Set up account driven Apple User Enrollment](https://learn.microsoft.com/en-us/intune/intune-service/enrollment/apple-account-driven-user-enrollment) Account driven user enrollment takes place in the Settings app on iOS. It requires [[Apple Business Manager]] to be configured as well as [[Managed Apple IDs]]^[https://learn.microsoft.com/en-us/intune/intune-service/enrollment/apple-account-driven-user-enrollment]. I do not think this is the best solution for an MSP, especially when user device counts are so low. ### User enrollment with Company Portal [Set up user enrollment with Company Portal | Microsoft Learn](https://learn.microsoft.com/en-us/intune/intune-service/enrollment/apple-user-enrollment-with-company-portal)