+2. Go to the **Settings** > **Domains** page.

+[Domains FAQ](../setup/domains-faq.yml) (article)

+> If you want to assign licenses for a large number of users, use [Assign licenses to users by group membership in Azure Active Directory](/azure/active-directory/enterprise-users/licensing-groups-assign).

+If you're not going to [reassign the unused licenses to other users](assign-licenses-to-users.md), consider [removing the licenses from your subscription](../../commerce/licenses/buy-licenses.md) so that you're not paying for more licenses than you need.

+2. Assign permissions in Exchange Online to people in your organization who will use the audit log search tool in the compliance portal or use the **Search-UnifiedAuditLog** cmdlet. Specifically, users must be assigned the *View-Only Audit Logs* or *Audit Logs* role in Exchange Online.

+Microsoft Purview Audit (Standard) in Microsoft 365 lets you search for audit records for activities performed in the different Microsoft 365 services by users and admins. Because Audit (Standard) is enabled by default for most Microsoft 365 and Office 365 organizations, there's only a few things you need to do before you, and others in your organization can search the audit log.

+Admins and members of investigation teams must be assigned the *View-Only Audit Logs* or *Audit Logs* role in Exchange Online to search or export the audit log. By default, these roles are assigned to the *Compliance Management* and *Organization Management* role groups on the **Permissions** page in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>. Global administrators in Office 365 and Microsoft 365 are automatically added as members of the *Organization Management* role group in Exchange Online. To give a user the ability to search the audit log with the minimum level of privileges, you can create a custom role group in Exchange Online, add the *View-Only Audit Logs* or *Audit Logs* role, and then add the user as a member of the new role group. For more information, see [Manage role groups in Exchange Online](/Exchange/permissions-exo/role-groups).

+The following screenshot shows the two audit-related roles assigned to the *Organization Management* role group in the Exchange admin center.

+- **Purged messages from mailbox:** This activity corresponds to the **HardDelete** mailbox auditing action. This is logged when a user purges an item from the Recoverable Items folder. Admins can use the Content Search tool in the compliance portal to search for and recover purged items until the deleted item retention period expires or longer if the user's mailbox is on hold.

+You have to be assigned the *View-Only Audit Logs* or *Audit Logs* role in Exchange Online to search or export the audit log. By default, these roles are assigned to the *Compliance Management* and *Organization Management* role groups on the **Permissions** page in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>. To give a user the ability to search the eDiscovery (Premium) audit log with the minimum level of privileges, you can create a custom role group in Exchange Online, add the *View-Only Audit Logs* or *Audit Logs* role, and then add the user as a member of the new role group. For more information, see Manage role groups in Exchange Online.

+> If you assign a user the *View-Only Audit Logs* or *Audit Logs* role on the Permissions page in the compliance portal, they won't be able to search or export the audit log. You have to assign the permissions in Exchange Online. This is because the underlying cmdlet used to search the audit log is an Exchange Online cmdlet.

+The results of an audit log search are displayed under Results on the Custodian Audit log page. A maximum of 5,000 (newest) events are displayed in increments of 150 events. To display more events you can use the scroll bar in the Results pane, or you can press Shift + End to display the next 150 events.

+- **Obfuscation**: Detects the masking of potentially risky activities by in-scope policy users. An example risk management activity includes renaming files on a device.

+- As with labeled and encrypted email, if somebody forwards a meeting invite from an email client other than Outlook, any applied encryption persists but information about the sensitivity label is removed from the email headers.

+ - Automatically delete items that are 5 years old from the Deleted Items folder. This also frees up space in the user's primary mailbox. Users will have the opportunity to recover these items if necessary. For more information, see the final bullet in the [More information](#more-information) section.

+|[Windows 10 lab environment](https://download.microsoft.com/download/a/5/0/a505dbce-6cc8-4f92-a777-cda556da9266/Win10_21H2_Lab_v2.zip)|[Windows 11 lab environment](https://download.microsoft.com/download/b/3/9/b3959d76-6ea6-4b4a-84e2-d863b9f38887/Win11_22H2_2211_Lab.zip)|

+|[Windows 10 lab guides](https://download.microsoft.com/download/a/5/0/a505dbce-6cc8-4f92-a777-cda556da9266/Win10_21H2_Lab_Guides_v2.zip)|[Windows 11 lab guides](https://download.microsoft.com/download/b/3/9/b3959d76-6ea6-4b4a-84e2-d863b9f38887/Win11_22H2_2211_Lab_Guides.zip)|

+> [!NOTE]

+> We'll be providing unlimited SMS notifications through March 1, 2023 (previously January 31, 2023) for customers with Bookings licenses. As we get closer to the end of the promotion period, we'll provide additional details on licensing requirements. Contact your account team or support to receive pricing details after the promotion period.

+| **Use the Microsoft 365 Defender portal** (*recommended*) | The Microsoft 365 Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)) is a one-stop shop for managing your company's devices, security policies, and security settings. You can access your security policies and settings, use the [Microsoft Defender Vulnerability Management dashboard](mdb-view-tvm-dashboard.md), and [view and manage incidents](mdb-view-manage-incidents.md) all in one place. <p>If you're using Intune, devices that you onboard to Defender for Business and your security policies are visible in the Endpoint Manager admin center. To learn more, see the following articles:<ul><li>[How default settings in Defender for Business correspond to settings in Microsoft Intune](mdb-next-gen-configuration-settings.md#how-default-settings-in-defender-for-business-correspond-to-settings-in-microsoft-intune)</li><li>[Firewall in Defender for Business](mdb-firewall.md)</li></ul> |

+- [How default settings in Defender for Business correspond to settings in Microsoft Intune](#how-default-settings-in-defender-for-business-correspond-to-settings-in-microsoft-intune)

+- [Microsoft Defender Antivirus states (active, passive, and disabled)](#microsoft-defender-antivirus-states)

+| **Turn on real-time protection** | Enabled by default, real-time protection locates and stops malware from running on devices. *We recommend keeping real-time protection turned on.* When real-time protection is turned on, it configures the following settings: <ul><li>Behavior monitoring is turned on ([AllowBehaviorMonitoring](/windows/client-management/mdm/policy-csp-defender#defender-allowbehaviormonitoring)).</li><li>All downloaded files and attachments are scanned ([AllowIOAVProtection](/windows/client-management/mdm/policy-csp-defender#defender-allowioavprotection)).</li><li>Scripts that are used in Microsoft browsers are scanned ([AllowScriptScanning](/windows/client-management/mdm/policy-csp-defender#defender-allowscriptscanning)).</li></ul> |

+| **Action to take on potentially unwanted apps (PUA)** | PUA can include advertising software; bundling software that offers to install other, unsigned software; and evasion software that attempts to evade security features. Although PUA isn't necessarily a virus, malware, or other type of threat, it can affect device performance. PUA protection blocks items that are detected as PUA. You can set PUA protection to the following modes: <ul><li>**Enabled** is the default setting. It blocks items detected as PUA on devices. *We recommend keeping PUA protection enabled.*</li><li>**Audit mode** takes no action on items detected as PUA.</li><li>**Disabled** doesn't detect or take action on items that might be PUA.</li></ul> |

+| **Scheduled scan type** | Consider running a weekly antivirus scan on your devices. You can choose from the following scan type options:<ul><li>**Quickscan** checks locations, such as registry keys and startup folders, where malware could be registered to start along with a device. *We recommend using the quickscan option.* </li><li>**Fullscan** checks all files and folders on a device.</li><li>**Disabled** means no scheduled scans will take place. Users can still run scans on their own devices. (In general, we don't recommend disabling scheduled scans.)</li></ul><br/> [Learn more about scan types](../defender-endpoint/schedule-antivirus-scans.md). |

+## How default settings in Defender for Business correspond to settings in Microsoft Intune

+## Microsoft Defender Antivirus states

+Microsoft Defender Antivirus is a key component of next-generation protection in Defender for Business. Depending on whether devices are onboarded to Defender for Business and whether those devices are running a non-Microsoft antivirus/antimwalware solution, Microsoft Defender Antivirus can have one of the following states:

+- Active mode

+- Passive mode

+- Disabled (or uninstalled) mode

+The following table describes each state and what it means.

+| Microsoft Defender Antivirus state | What it means |

+|:|:|

+| **Active mode** <br/>(*recommended*) | Microsoft Defender Antivirus is used as the antivirus app on the machine. Files are scanned, threats are remediated, and detection information is reported in the Microsoft 365 Defender portal and in the Windows Security app on a device running Windows.<br/><br/>We recommend running Microsoft Defender Antivirus in active mode so that devices onboarded to Defender for Business will get all of the following types of protection: <ul><li>**Real-time protection**, which locates and stops malware from running on devices. </li><li>**Cloud protection**, which works with Microsoft Defender Antivirus and the Microsoft cloud to identify new threats, sometimes even before a single device is affected.</li><li>**Network protection**, which helps protect against phishing scams, exploit-hosting sites, and malicious content on the internet.</li><li>**Web content filtering**, which regulates access to websites based on content categories (such as adult content, high bandwidth, and legal liability) across all browsers.</li><li>**Protection from potentially unwanted applications**, such as advertising software, bundling software that offers to install other, unsigned software, and evasion software that attempts to evade security features.</li></ul> |

+| **Passive mode** | A non-Microsoft antivirus/antimalware product is installed on the device, and even though the device has been onboarded to Defender for Business, Microsoft Defender Antivirus can detect threats but doesn't remediate them. Devices with Microsoft Defender Antivirus can still receive security intelligence and platform updates. <br/><br/>You can switch Microsoft Defender Antivirus to active mode automatically by uninstalling the non-Microsoft antivirus/antimalware product. |

+| **Disabled mode** | A non-Microsoft antivirus/antimwalware product is installed on the device, and the device hasn't been onboarded to Defender for Business. Whether Microsoft Defender Antivirus went into disabled mode automatically or was set manually, it's not currently running on the device. In this case, Microsoft Defender Antivirus neither detects nor remediates threats on the device.<br/><br/>You can switch Microsoft Defender Antivirus to active mode by uninstalling the non-Microsoft antivirus/antimalware solution and onboarding the device to Defender for Business. |

+- [View and edit security policies and settings in Microsoft Defender for Business](mdb-configure-security-settings.md)

+POST api/DeviceAuthenticatedScanDefinitions/GetScanHistoryByScanDefinitionId

+POST https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/GetScanHistoryByScanDefinitionId

+ "ScanDefinitionIds": ["4ad8d463-6b3a-4894-b42a-a2de9ea0a8ae", "60c4aa57-c573-4488-8d18-230914792a92", "c6220f67-2cad-4ba3-a2fa-7ded6384da56"]

+"@odata.context": "https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/GetScanHistoryByScanDefinitionId",

+ "ScanDefinitionIds": "4ad8d463-6b3a-4894-b42a-a2de9ea0a8ae",

+ "ScanDefinitionIds": "60c4aa57-c573-4488-8d18-230914792a92",

+ "ScanDefinitionIds": "c6220f67-2cad-4ba3-a2fa-7ded6384da56",

+POST /api/DeviceAuthenticatedScanDefinitions/GetScanHistoryBySessionId

+POST https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/GetScanHistoryBySessionId

+ "SessionIds": ["01decc497f4b4ec49a5fc4e12597f8c8"]

+ "@odata.context": "https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/GetScanHistoryBySessionId",

+ "ScanDefinitionIds": "4ad8d463-6b3a-4894-b42a-a2de9ea0a8ae",

+ "SessionIds": "01decc497f4b4ec49a5fc4e12597f8c8",

+1. **Splunk SOAR** helps customers orchestrate workflows and automate tasks in seconds to work smarter and respond faster. Splunk SOAR is integrated with the new Microsoft 365 Defender APIs, including the alerts API. For more information, see [Microsoft 365 Defender | Splunkbase](https://splunkbase.splunk.com/app/6563)

+> [Windows system folders](#windows-system-folders-are-protected-by-default) are protected by default, and you cannot remove them from the list. Subfolders are also included in protection when you add a new folder to the list.

+> - Add an indicator to block or allow a file.

+>

+> [Microsoft Defender for Business](../defender-business/mdb-overview.md) does not include the "Stop and quarantine a file" action at this time.

+> Your subscription must include Defender for Endpoint Plan 2 to have all of the response actions described in this article.

+ Title: Migrate to Microsoft Defender for Endpoint from non-Microsoft endpoint protection

+# Migrate to Microsoft Defender for Endpoint from non-Microsoft endpoint protection

+If you are ready to switch from a non-Microsoft endpoint protection solution to [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) (Defender for Endpoint), or you're just interested in what all is involved in the process, use this article as a guide. This article describes the overall process of moving to [Defender for Endpoint Plan 1 or Plan 2](defender-endpoint-plan-1-2.md). The following image depicts the migration process at a high level:

+When you migrate to Defender for Endpoint, you begin with your non-Microsoft antivirus/antimalware protection in active mode. Then, you configure Microsoft Defender Antivirus in passive mode, and onboard your devices to Defender for Endpoint. Next, you configure Defender for Endpoint features, and verify that everything is working correctly. Finally, you remove the non-Microsoft solution from your devices.

+The process of migrating to Defender for Endpoint can be divided into three phases, as described in the following table:

+|[Prepare for your migration](switch-to-mde-phase-1.md)|During [the **Prepare** phase](switch-to-mde-phase-1.md): <br/>1. Update your organization's devices.<br/>2. Get Defender for Endpoint Plan 1 or Plan 2.<br/>3. Plan roles and permissions for your security team, and grant them access to the Microsoft 365 Defender portal.<br/>4. Configure your device proxy and internet settings to enable communication between your organization's devices and Defender for Endpoint. |

+|[Set up Defender for Endpoint](switch-to-mde-phase-2.md)|During [the **Setup** phase](switch-to-mde-phase-2.md): <br/>1. Enable/reinstall Microsoft Defender Antivirus, and make sure it's in passive mode on devices.<br/>2. Configure your Defender for Endpoint Plan 1 or Plan 2 capabilities.<br/>3. Add Defender for Endpoint to the exclusion list for your existing solution.<br/>4. Add your existing solution to the exclusion list for Microsoft Defender Antivirus.<br/>5. Set up your device groups, collections, and organizational units.|

+|[Onboard to Defender for Endpoint](switch-to-mde-phase-3.md)|During [the **Onboard** phase](switch-to-mde-phase-3.md): <br/>1. Onboard your devices to Defender for Endpoint.<br/>2. Run a detection test to confirm that onboarding was successful.<br/>3. Confirm that Microsoft Defender Antivirus is running in passive mode.<br/>4. Get updates for Microsoft Defender Antivirus.<br/>5. Uninstall your existing endpoint protection solution.<br/>6. Make sure that Defender for Endpoint working correctly.|

+1. [Get and deploy updates across your organization's devices](#get-and-deploy-updates-across-your-organizations-devices).

+2. [Get Microsoft Defender for Endpoint Plan 1 or Plan 2](#get-microsoft-defender-for-endpoint-plan-1-or-plan-2).

+4. [Review more information about device proxy and internet connectivity settings](#more-information-about-device-proxy-and-internet-connectivity-settings).

+As a best practice, keep your organization's devices and endpoints up to date. Make sure your existing endpoint protection and antivirus solution is up to date, and that your organization's operating systems and apps also have the latest updates. Getting updates installed now can help prevent problems later as you migrate to Defender for Endpoint and employ Microsoft Defender Antivirus on all your devices.

+Keep your existing endpoint protection solution up to date, and make sure that your organization's devices have the latest security updates. Make sure to review your solution provider's documentation for updates.

+Need help with updating your organization's devices? See the following resources:

+## Get Microsoft Defender for Endpoint Plan 1 or Plan 2

+1. Buy or try Defender for Endpoint today. [Start a free trial or request a quote](https://aka.ms/mdatp). Note that Microsoft 365 E3 includes Defender for Endpoint Plan 1, and Microsoft 365 E5 includes Defender for Endpoint Plan 2.

+4. If any devices in your organization use a proxy to access the internet, follow the guidance in [Defender for Endpoint setup: Network configuration](production-deployment.md#network-configuration).

+At this point, you're ready to grant access to your security administrators and security operators who will use the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>.

+> [!TIP]

+> The Microsoft 365 Defender portal is accessed at <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">https://security.microsoft.com</a>. The former Microsoft Defender Security Center (https://securitycenter.windows.com) now redirects to the Microsoft 365 Defender portal. To learn more, see [Microsoft 365 Defender portal overview](portal-overview.md).

+The <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> is where you and your security team will access and configure features and capabilities of Defender for Endpoint. To learn more, see [Overview of the Microsoft 365 Defender portal](use.md).

+2. Set up and configure RBAC. We recommend using [Intune](/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows, macOS, iOS, and Android devices. See [setting up RBAC using Intune](/mem/intune/fundamentals/role-based-access-control).

+3. Grant your security team access to the Microsoft 365 Defender portal. (Need help? See [Manage portal access using RBAC](rbac.md).

+## More information about device proxy and internet connectivity settings

+To enable communication between your devices and Defender for Endpoint, you might have to configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems:

+|For this plan...| And this operating system... |See these resources.|

+|[Defender for Endpoint Plan 1](defender-endpoint-plan-1.md)|[Windows 11](/windows/whats-new/windows-11-overview)<br/>[Windows 10](/windows/release-health/release-information)<br/> [Windows Server 2022](/windows-server/get-started/whats-new-in-windows-server-2022) <br/> [Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019) <br/> [Windows Server 1803, or later](/windows-server/get-started/whats-new-in-windows-server-1803) <br/> [Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016)\*<br/>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)\* |[Configure and validate Microsoft Defender Antivirus network connections](configure-network-connections-microsoft-defender-antivirus.md)|

+|[Defender for Endpoint Plan 1](defender-endpoint-plan-1.md)|macOS (see [System requirements](microsoft-defender-endpoint-mac.md))|[Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections)|

+|[Defender for Endpoint Plan 1](defender-endpoint-plan-1.md)|Linux (see [System requirements](microsoft-defender-endpoint-linux.md#system-requirements))|[Defender for Endpoint on Linux: Network connections](microsoft-defender-endpoint-linux.md#network-connections)|

+|[Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)|[Windows 11](/windows/whats-new/windows-11-overview)<br/>[Windows 10](/windows/release-health/release-information)<br/>[Windows Server 2022](/windows-server/get-started/whats-new-in-windows-server-2022) <br/>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019) <br/>[Windows Server 1803, or later](/windows-server/get-started/whats-new-in-windows-server-1803) <br/>[Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016)\* <br/>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)\* |[Configure machine proxy and internet connectivity settings](configure-proxy-internet.md)|

+|[Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) |[Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) <br/>[Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/>[Windows 7 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)|[Configure proxy and internet connectivity settings](onboard-downlevel.md#configure-proxy-and-internet-connectivity-settings)|

+|[Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)|macOS (see [System requirements](microsoft-defender-endpoint-mac.md))|[Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections)|

+\* Windows Server 2016 and Windows Server 2012 R2 require installation of the modern, unified solution for Windows Server 2012 R2 and 2016. For more information, see [Onboard Windows servers to Defender for Endpoint: Windows Server 2012 R2 and Windows Server 2016](/microsoft-365/security/defender-endpoint/configure-server-endpoints#windows-server-2012-r2-and-windows-server-2016).

+> [!IMPORTANT]

+> The standalone versions of Defender for Endpoint Plan 1 and Plan 2 do not include server licenses. To onboard servers, you'll need an additional license, such as [Defender for Servers Plan 1 or Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan).

+**Congratulations**! You've completed the **Prepare** phase of [switching to Defender for Endpoint](switch-to-mde-overview.md#the-migration-process)!

+ Title: Common Zero Trust identity and device access policies - Microsoft 365 for enterprise

+# Common security policies for Microsoft 365 organizations

+Organizations have lots to worry about when deploying Microsoft 365 for their organization. The Conditional Access, app protection, and device compliance policies referenced in this article are based on Microsoft's recommendations and the three guiding principles of [Zero Trust](/security/zero-trust/zero-trust-overview):

+- Verify explicitly

+- Use least privilege

+- Assume breach

+Organizations can take these policies as is or customize them to fit their needs. If possible, test your policies in a non-production environment before rolling out to your production users. Testing is critical to identify and communicate any possible effects to your users.

+We group these policies into three protection levels based on where you are on your deployment journey:

+- **Starting point** - Basic controls that introduce multifactor authentication, secure password changes, and app protection policies.

+- **Enterprise** - Enhanced controls that introduce device compliance.

+- **Specialized security** - Policies that require multifactor authentication every time for specific data sets or users.

+The following diagram shows which tier of protections each policy applies to and whether the policies apply to PCs or phones and tablets, or both categories of devices.

+> [!TIP]

+> Requiring the use of multifactor authentication (MFA) is recommended before enrolling devices in Intune to assure that the device is in the possession of the intended user. You must enroll devices in Intune before you can enforce device compliance policies.

+## Prerequisites

+### Permissions

+- Users who will manage Conditional Access policies must be able to sign in to the Azure portal as a **Conditional Access Administrator**, **Security Administrator**, or **Global Administrator**.

+- Users who will manage app protection and device compliance policies must be able to sign in to Intune as an **Intune Administrator** or **Global Administrator**.

+- Those users who only need to view configurations can be assigned the **Security Reader** or **Global Reader** roles.

+For more information about roles and permissions, see the article [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference).

+### User registration

+Ensure your users register for multifactor authentication prior to requiring its use. If you have licenses that include Azure AD Premium P2, you can use the [MFA registration policy within Azure AD Identity Protection](/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy) to require that users register. We provide [communication templates](https://aka.ms/mfatemplates), you can download and customize, to promote registration.

+### Groups

+All Azure AD groups used as part of these recommendations must be created as a **Microsoft 365** group *not a Security group*. This requirement is important for the deployment of sensitivity labels when securing documents in Microsoft Teams and SharePoint later on. For more information, see the article [Learn about groups and access rights in Azure Active Directory](/azure/active-directory/fundamentals/concept-learn-about-groups#group-types)

+### Assigning policies

+Conditional Access policies may be assigned to users, groups, and administrator roles. Intune app protection and device compliance policies may be assigned to *groups only*. Before you configure your policies, you should identify who should be included and excluded. Typically, starting point protection level policies apply to everybody in the organization.

+Here's an example of group assignment and exclusions for requiring MFA after your users have completed [user registration](#user-registration).

+|| Azure AD Conditional Access policy | Include | Exclude |

+| | | | |

+| **Starting point**| Require multifactor authentication for medium or high sign-in risk | *All users* | - Emergency access accounts <br> - Conditional Access exclusion group |

+| **Enterprise**| Require multifactor authentication for low, medium, or high sign-in risk | *Executive staff group* | - Emergency access accounts <br> - Conditional Access exclusion group |

+| **Specialized security**| Require multifactor authentication always | *Top Secret Project Buckeye group* | - Emergency access accounts <br> - Conditional Access exclusion group |

+Be careful when applying higher levels of protection to groups and users. **The goal of security isn't to add unnecessary friction** to the user experience. For example, members of the *Top Secret Project Buckeye group* will be required to use MFA every time they sign in, even if they aren't working on the specialized security content for their project. Excessive security friction can lead to fatigue.

+You may consider enabling [passwordless authentication methods](/azure/active-directory/authentication/concept-authentication-passwordless), like Windows Hello for Business or FIDO2 security keys to reduce some friction created by certain security controls.

+### Emergency access accounts

+All organizations should have at least one emergency access account that is monitored for use and excluded from policies. **These accounts are only used in case all other administrator accounts and authentication methods become locked out or otherwise unavailable**. More information can be found in the article, [Manage emergency access accounts in Azure AD](/azure/active-directory/roles/security-emergency-access).

+### Exclusions

+A recommended practice is to create an Azure AD group for Conditional Access exclusions. This group gives you a means to provide access to a user while you troubleshoot access issues.

+> [!WARNING]

+> This group is recommended for use as a temporary solution only. Continuously monitor and audit this group for changes and be sure the exclusion group is being used only as intended.

+To add this exclusion group to any existing policies:

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.

+1. Select an existing policy.

+1. Under **Assignments**, select **Users or workload identities**.

+ 1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts and Conditional Access exclusion group.

+## Deployment

+We recommend implementing the [starting point policies](#starting-point) in the order listed in this table. However, the MFA policies for [enterprise](#enterprise) and [specialized security](#specialized-security) levels of protection can be implemented at any time.

+### Starting point

+| Policy | More information | Licensing |

+| [Require MFA when sign-in risk is *medium* or *high*](#require-mfa-based-on-sign-in-risk) | Use risk data from Azure AD Identity Protection to require MFA only when risk is detected | Microsoft 365 E5 or Microsoft 365 E3 with the E5 Security add-on |

+| [Block clients that don't support modern authentication](#block-clients-that-dont-support-multifactor-authentication) | Clients that don't use modern authentication can bypass Conditional Access policies, so it's important to block them. | Microsoft 365 E3 or E5 |

+| [High risk users must change password](#high-risk-users-must-change-password) | Forces users to change their password when signing in if high-risk activity is detected for their account. | Microsoft 365 E5 or Microsoft 365 E3 with the E5 Security add-on |

+| [Apply application protection policies for data protection](#app-protection-policies) | One Intune app protection policy per platform (Windows, iOS/iPadOS, Android). | Microsoft 365 E3 or E5 |

+| [Require approved apps and app protection policies](#require-approved-apps-and-app-protection-policies) | Enforces mobile app protection policies for phones and tablets using iOS, iPadOS, or Android. | Microsoft 365 E3 or E5 |

+### Enterprise

+| Policy | More information | Licensing |

+| [Require MFA when sign-in risk is *low*, *medium*, or *high*](#require-mfa-based-on-sign-in-risk) | Use risk data from Azure AD Identity Protection to require MFA only when risk is detected | Microsoft 365 E5 or Microsoft 365 E3 with the E5 Security add-on |

+| [Define device compliance policies](#device-compliance-policies) | Set minimum configuration requirements. One policy for each platform. | Microsoft 365 E3 or E5 |

+| [Require compliant PCs and mobile devices](#require-compliant-pcs-and-mobile-devices) | Enforces the configuration requirements for devices accessing your organization | Microsoft 365 E3 or E5 |

+### Specialized security

+| Policy | More information | Licensing |

+||||

+| [*Always* require MFA](#always-require-mfa) | Users must perform MFA anytime they sign in to your organizations services | Microsoft 365 E3 or E5 |

+## App protection policies

+[App protection policies](/mem/intune/apps/app-protection-policy) define which apps are allowed and the actions they can take with your organization's data. There are many choices available and it may be confusing to some. The following baselines are Microsoft's recommended configurations that may be tailored to your needs. We provide three templates to follow, but think most organizations will choose levels 2 and 3.

+Level 2 maps to what we consider [starting point](#starting-point) or [enterprise](#enterprise) level security, level 3 maps to [specialized](#specialized-security) security.

+- [Level 1 enterprise basic data protection](/mem/intune/apps/app-protection-framework#level-1-enterprise-basic-data-protection) ΓÇô Microsoft recommends this configuration as the minimum data protection configuration for an enterprise device.

+- **[Level 2 enterprise enhanced data protection](/mem/intune/apps/app-protection-framework#level-2-enterprise-enhanced-data-protection)** ΓÇô Microsoft recommends this configuration for devices where users access sensitive or confidential information. This configuration is applicable to most mobile users accessing work or school data. Some of the controls may affect user experience.

+- **[Level 3 enterprise high data protection](/mem/intune/apps/app-protection-framework#level-3-enterprise-high-data-protection)** ΓÇô Microsoft recommends this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration.

+### Create app protection policies

+Create a new app protection policy for each platform (iOS and Android) within Microsoft Intune using the data protection framework settings by:

+- Manually create the policies by following the steps in [How to create and deploy app protection policies with Microsoft Intune](/mem/intune/apps/app-protection-policies).

+- Import the sample [Intune App Protection Policy Configuration Framework JSON templates](https://github.com/microsoft/Intune-Config-Frameworks/tree/master/AppProtectionPolicies) with [Intune's PowerShell scripts](https://github.com/microsoftgraph/powershell-intune-samples).

+## Device compliance policies

+Intune device compliance policies define the requirements that devices must meet to be determined as compliant.

+You must create a policy for each PC, phone, or tablet platform. This article will cover recommendations for the following platforms:

+- [Android](#enrollment-and-compliance-settings-for-android)

+- [iOS/iPadOS](#enrollment-and-compliance-settings-for-iosipados)

+- [Windows 10 and later](#recommended-compliance-settings-for-windows-10-and-later)

+### Create device compliance policies

+To create device compliance policies, sign in to the [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com), and navigate to **Devices** > **Compliance policies** > **Policies**. Select **Create Policy**.

+For step-by-step guidance on creating compliance policies in Intune, see [Create a compliance policy in Microsoft Intune](/mem/intune/protect/create-compliance-policy).

+#### Enrollment and compliance settings for iOS/iPadOS

+- [Automated device enrollment for corporate-owned devices](/mem/intune/enrollment/device-enrollment-program-enroll-ios) ΓÇô these devices are corporate-owned, associated with a single user, and used exclusively for work and not personal use.

+Using the principles outlined in [Zero Trust identity and device access configurations](microsoft-365-policies-configurations.md):

+- The [starting point](#starting-point) and [enterprise](#enterprise) protection tiers map closely with the level 2 enhanced security settings.

+- The [specialized](#specialized-security) security protection tier maps closely to the level 3 high security settings.

+##### Compliance settings for personally enrolled devices

+- [Personal basic security (Level 1)](/mem/intune/enrollment/ios-ipados-personal-device-security-configurations#personal-basic-security-level-1) ΓÇô Microsoft recommends this configuration as the minimum security configuration for personal devices where users access work or school data. This configuration is done by enforcing password policies, device lock characteristics, and disabling certain device functions, like untrusted certificates.

+- **[Personal enhanced security (Level 2)](/mem/intune/enrollment/ios-ipados-personal-device-security-configurations#personal-enhanced-security-level-2)** ΓÇô Microsoft recommends this configuration for devices where users access sensitive or confidential information. This configuration enacts data sharing controls. This configuration is applicable to most mobile users accessing work or school data on a device.

+- **[Personal high security (Level 3)](/mem/intune/enrollment/ios-ipados-personal-device-security-configurations#personal-high-security-level-3)** ΓÇô Microsoft recommends this configuration for devices used by specific users or groups who are uniquely high risk (users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization). This configuration enacts stronger password policies, disables certain device functions, and enforces extra data transfer restrictions.

+##### Compliance settings for automated device enrollment

+- [Supervised basic security (Level 1)](/mem/intune/enrollment/ios-ipados-supervised-device-security-configurations#supervised-basic-security-level-1) ΓÇô Microsoft recommends this configuration as the minimum security configuration for supervised devices where users access work or school data. This configuration is done by enforcing password policies, device lock characteristics, and disabling certain device functions, like untrusted certificates.

+- **[Supervised enhanced security (Level 2)](/mem/intune/enrollment/ios-ipados-supervised-device-security-configurations#supervised-enhanced-security-level-2)** ΓÇô Microsoft recommends this configuration for devices where users access sensitive or confidential information. This configuration enacts data sharing controls and blocks access to USB devices. This configuration is applicable to most mobile users accessing work or school data on a device.

+- **[Supervised high security (Level 3)](/mem/intune/enrollment/ios-ipados-supervised-device-security-configurations#supervised-high-security-level-3)** ΓÇô Microsoft recommends this configuration for devices used by specific users or groups who are uniquely high risk (users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization). This configuration enacts stronger password policies, disables certain device functions, enforces extra data transfer restrictions, and requires apps to be installed through Apple's volume purchase program.

+#### Enrollment and compliance settings for Android

+- [Android Enterprise work profile](/mem/intune/enrollment/android-work-profile-enroll) ΓÇô this enrollment model is typically used for personally owned devices, where IT wants to provide a clear separation boundary between work and personal data. Policies controlled by IT ensure that the work data can't be transferred into the personal profile.

+- [Android Enterprise fully managed devices](/mem/intune/enrollment/android-fully-managed-enroll) ΓÇô these devices are corporate-owned, associated with a single user, and used exclusively for work and not personal use.

+Using the principles outlined in [Zero Trust identity and device access configurations](microsoft-365-policies-configurations.md):

+- The [starting point](#starting-point) and [enterprise](#enterprise) protection tiers map closely with the level 2 enhanced security settings.

+- The [specialized](#specialized-security) security protection tier maps closely to the level 3 high security settings.

+##### Compliance settings for Android Enterprise work profile devices

+- Because of the settings available for personally owned work profile devices, there's no basic security (level 1) offering. The available settings don't justify a difference between level 1 and level 2.

+- **[Work profile enhanced security (Level 2)](/mem/intune/enrollment/android-work-profile-security-settings#personally-owned-work-profile-enhanced-security)**ΓÇô Microsoft recommends this configuration as the minimum security configuration for personal devices where users access work or school data. This configuration introduces password requirements, separates work and personal data, and validates Android device attestation.

+- **[Work profile high security (Level 3)](/mem/intune/enrollment/android-work-profile-security-settings#personally-owned-work-profile-high-security)** ΓÇô Microsoft recommends this configuration for devices used by specific users or groups who are uniquely high risk (users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization). This configuration introduces mobile threat defense or Microsoft Defender for Endpoint, sets the minimum Android version, enacts stronger password policies, and further restricts work and personal separation.

+##### Compliance settings for Android Enterprise fully managed devices

+- [Fully managed basic security (Level 1)](/mem/intune/enrollment/android-fully-managed-security-settings#fully-managed-basic-security) ΓÇô Microsoft recommends this configuration as the minimum security configuration for an enterprise device. This configuration is applicable to most mobile users accessing work or school data. This configuration introduces password requirements, sets the minimum Android version, and enacts certain device restrictions.

+- **[Fully managed enhanced security (Level 2)](/mem/intune/enrollment/android-fully-managed-security-settings#fully-managed-enhanced-security)** ΓÇô Microsoft recommends this configuration for devices where users access sensitive or confidential information. This configuration enacts stronger password policies and disables user/account capabilities.

+- **[Fully managed high security (Level 3)](/mem/intune/enrollment/android-fully-managed-security-settings#fully-managed-high-security)** - Microsoft recommends this configuration for devices used by specific users or groups who are uniquely high risk. These users may handle highly sensitive data where unauthorized disclosure may cause considerable material loss to the organization. This configuration increases the minimum Android version, introduces mobile threat defense or Microsoft Defender for Endpoint, and enforces extra device restrictions.

+#### Recommended compliance settings for Windows 10 and later

+The following settings are configured in **Step 2: Compliance settings**, of the [compliance policy creation process for Windows 10 and newer devices](/mem/intune/protect/compliance-policy-create-windows). These settings align with the principles outlined in [Zero Trust identity and device access configurations](microsoft-365-policies-configurations.md).

+| Property | Value |

+|||

+| Require BitLocker | Require |

+| Require Secure Boot to be enabled on the device | Require |

+| Require code integrity | Require |

+For **Configuration Manager Compliance**, if you are in a co-managed environment with Configuration Manager select **Require** otherwise select **Not configured**.

+| Property | Value |

+|||

+| Require a password to unlock mobile devices | Require |

+| Simple passwords | Block |

+| Password type | Device default |

+| Minimum password length | 6 |

+| Maximum minutes of inactivity before password is required | 15 minutes |

+| Password expiration (days) | 41 |

+| Number of previous passwords to prevent reuse | 5 |

+| Require password when device returns from idle state (Mobile and Holographic) | Require |

+| Require encryption of data storage on device | Require |

+| Firewall | Require |

+| Antivirus | Require |

+| Antispyware | Require |

+| Microsoft Defender Antimalware | Require |

+| Microsoft Defender Antimalware minimum version | Microsoft recommends versions no more than five behind from the most recent version. |

+| Microsoft Defender Antimalware signature up to date | Require |

+| Real-time protection | Require |

+For **Microsoft Defender for Endpoint**

+| Property | Value |

+|||

+| [Require the device to be at or under the machine-risk score](/mem/intune/protect/advanced-threat-protection-configure#create-and-assign-compliance-policy-to-set-device-risk-level) | Medium |

+## Conditional Access policies

+Once your app protection and device compliance policies are created in Intune, you can enable enforcement with Conditional Access policies.

+### Require MFA based on sign-in risk

+Follow the guidance in the article [Common Conditional Access policy: Sign-in risk-based multifactor authentication](/azure/active-directory/conditional-access/howto-conditional-access-policy-risk) to create a policy to require multifactor authentication based on sign-in risk.

+When configuring your policy, use the following risk levels.

+| Level of protection | Risk level values needed | Action |

+||||

+| Starting point | High, medium | Check both. |

+| Enterprise | High, medium, low | Check all three. |

+### Block clients that don't support multifactor authentication

+Follow the guidance in the article [Common Conditional Access policy: Block legacy authentication](/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy) to block legacy authentication.

+For Exchange Online, you can use authentication policies to [disable Basic authentication](/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online), which forces all client access requests to use modern authentication.

+### High risk users must change password

+Follow the guidance in the article [Common Conditional Access policy: User risk-based password change](/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy) to require users with compromised credentials to change their password.

+Use this policy along with [Azure AD password protection](/azure/active-directory/authentication/concept-password-ban-bad), which detects and blocks known weak passwords and their variants in addition to terms specific to your organization. Using Azure AD password protection ensures that changed passwords are stronger.

+### Require approved apps and app protection policies

+**You must create a Conditional Access policy** to enforce the app protection policies created in Intune. Enforcing app protection policies requires a Conditional Access policy **and** a corresponding app protection policy.

+To create a Conditional Access policy that requires approved apps and APP protection, follow the steps in [Require approved client apps or app protection policy with mobile devices](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection). This policy only allows accounts within mobile apps protected by app protection policies to access Microsoft 365 endpoints.

+Blocking legacy authentication for other client apps on iOS and Android devices ensures that these clients can't bypass Conditional Access policies. If you're following the guidance in this article, you've already configured [Block clients that don't support modern authentication](#block-clients-that-dont-support-multifactor-authentication).

+### Require compliant PCs and mobile devices

+The following steps will help create a Conditional Access policy to require devices accessing resources be marked as compliant with your organization's Intune compliance policies.

+> [!CAUTION]

+> Make sure that your device is compliant before enabling this policy. Otherwise, you could get locked out and be unable to change this policy until your user account has been added to the Conditional Access exclusion group.

+1. Sign in to the **Azure portal**.

+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.

+1. Select **New policy**.

+1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.

+1. Under **Assignments**, select **Users or workload identities**.

+ 1. Under **Include**, select **All users**.

+ 1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.

+1. Under **Cloud apps or actions** > **Include**, select **All cloud apps**.

+ 1. If you must exclude specific applications from your policy, you can choose them from the **Exclude** tab under **Select excluded cloud apps** and choose **Select**.

+1. Under **Access controls** > **Grant**.

+ 1. Select **Require device to be marked as compliant**.

+ 1. Select **Select**.

+1. Confirm your settings and set **Enable policy** to **On**.

+1. Select **Create** to create to enable your policy.

+> You can enroll your new devices to Intune even if you select **Require device to be marked as compliant** for **All users** and **All cloud apps** in your policy. **Require device to be marked as compliant** control does not block Intune enrollment and the access to the Microsoft Intune Web Company Portal application.

+#### Subscription activation

+Organizations using the [Subscription Activation](/windows/deployment/windows-10-subscription-activation) feature to enable users to ΓÇ£step-upΓÇ¥ from one version of Windows to another, may want to exclude the Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f from their device compliance policy.

+### Always require MFA

+Follow the guidance in the article [Common Conditional Access policy: Require MFA for all users](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa) to require your specialized security level users to always perform multifactor authentication.

+> [!WARNING]

+> When configuring your policy, select the group that requires specialized security and use that **instead of selecting All users**.

+## Next steps

+- Admins can report false positives to Microsoft from quarantine. For more information, see [Take action on quarantined email](quarantine-admin-manage-messages-files.md#take-action-on-quarantined-email) and [Take action on quarantined files](quarantine-admin-manage-messages-files.md#take-action-on-quarantined-files).

+- Depending on the [user reported message settings](submissions-user-reported-messages-files-custom-mailbox.md) in the organization (specifically, the **Let your organization report messages from quarantine** setting), users can report false positives to Microsoft from quarantine.

+||[Block clients that don't support modern authentication](identity-access-policies.md#block-clients-that-dont-support-multifactor-authentication)|Include Exchange Online in the assignment of cloud apps|

+||[Apply APP data protection policies](identity-access-policies.md#app-protection-policies)|Be sure Outlook is included in the list of apps. Be sure to update the policy for each platform (iOS, Android, Windows)|

+||[Require approved apps and APP protection](identity-access-policies.md#require-approved-apps-and-app-protection-policies)|Include Exchange Online in the list of cloud apps|

+For mobile devices, modern authentication-capable Exchange ActiveSync clients that do not support Intune app protection policies (or supported clients that are not defined in the app protection policy) and Exchange ActiveSync clients that use basic authentication are blocked based on the Conditional Access policy created in [Require approved apps and APP protection](identity-access-policies.md#require-approved-apps-and-app-protection-policies).

+||[Block clients that don't support modern authentication](identity-access-policies.md#block-clients-that-dont-support-multifactor-authentication)|Include SharePoint in the assignment of cloud apps.|

+||[Apply APP data protection policies](identity-access-policies.md#app-protection-policies)|Be sure all recommended apps are included in the list of apps. Be sure to update the policy for each platform (iOS, Android, Windows).|

+ In the **Add a mailbox to send reported messages to** box that appears, enter the email address of an existing Exchange Online mailbox to use as the reporting mailbox that holds user reported messages from Microsoft reporting tools. Distribution groups are not allowed.

+ **Let your organization report messages from quarantine** in the **Report from quarantine** section: Verify that this setting is selected to let users report messages from quarantine. Otherwise, uncheck this setting.

+||[Block clients that don't support modern authentication](identity-access-policies.md#block-clients-that-dont-support-multifactor-authentication)|Include Teams and dependent services in the assignment of cloud apps.|

+||[Apply APP data protection policies](identity-access-policies.md#app-protection-policies)|Be sure Teams and dependent services are included in the list of apps. Update the policy for each platform (iOS, Android, Windows).|

+||[Define device compliance policies](identity-access-policies.md#create-device-compliance-policies)|Include Teams and dependent services in this policy.|

+|1|[Enable Azure AD Multifactor Authentication (MFA)](#1-enable-azure-ad-multifactor-authentication-mfa)||||

+## 1: Enable Azure AD Multifactor Authentication (MFA)

+Normally, Microsoft recommends you give users 14 days to register their device for Multifactor Authentication before requiring MFA. However, if your workforce is suddenly working from home, go ahead and require MFA as a security priority and be prepared to help users who need it.

+|Microsoft 365 E5 (with Azure AD P2)|Taking advantage of feature in Azure Active Directory, begin to implement Microsoft's [recommended set of Conditional Access and related policies](./office-365-security/identity-access-policies.md) like:<br/> - Requiring MFA when sign-in risk is medium or high. <br/>- Blocking clients that don't support modern authentication. <br/>- Requiring high risk users change their password.

+ 1. Use the [Apply APP data protection policies](./office-365-security/identity-access-policies.md#app-protection-policies) guidance to create policies for iOS and Android. Level 2 (enhanced data protection) is recommended for baseline protection.

+ 2. Create a conditional access rule to [Require approved apps and APP protection](./office-365-security/identity-access-policies.md#require-approved-apps-and-app-protection-policies).

+- [Define device-compliance policies](./office-365-security/identity-access-policies.md#create-device-compliance-policies) ΓÇö The recommended settings for Windows 10 include requiring antivirus protection. If you have Microsoft 365 E5, use Microsoft Defender for Endpoint to monitor the health of employee devices. Be sure compliance policies for other operating systems include antivirus protection and end-point protection software.

+|Multifactor authentication|[Two-step verification: What is the additional verification page?](/azure/active-directory/user-help/multi-factor-authentication-end-user-first-time) <p>This article helps end users understand what multifactor authentication is and why it's being used at your organization.|

+|Microsoft 365 E5 (includes Azure AD Premium P2 licenses) |Taking advantage of feature in Azure Active Directory, begin to implement Microsoft's [recommended set of Conditional Access and related policies](../security/office-365-security/identity-access-policies.md) like:<br/> - Requiring MFA when sign-in risk is medium or high. <br/>- Blocking clients that don't support modern authentication. <br/>- Requiring high risk users change their password.|

+|1 | [Apply Application Protection Policies (APP) data protection](../security/office-365-security/identity-access-policies.md#app-protection-policies) | One Intune App Protection policy per platform (Windows, iOS/iPadOS, Android). | Microsoft 365 E3 or E5 |

+|2 | [Require approved apps and app protection ](../security/office-365-security/identity-access-policies.md#require-approved-apps-and-app-protection-policies) | Enforces mobile app protection for phones and tablets using iOS, iPadOS, or Android. | Microsoft 365 E3 or E5 |

+You want to be sure devices that are accessing your apps and data meet minimum requirements. For example, theyΓÇÖre password or pin-protected and the operating system is up to date. Compliance policies are the way to define the requirements that devices must meet. MEM uses these compliance policies to mark a device as compliant or non-compliant. This binary status is passed to Azure AD which can use this status in conditional access rules to allow or prevent a device from accessing resources.

+|[Define device compliance policies ](../security/office-365-security/identity-access-policies.md#create-device-compliance-policies) | One policy for each platform | Microsoft 365 E3 or E5 |

+Go to [Step 4. Require healthy and compliant devices](manage-devices-with-intune-require-compliance.md) for instructions on how to create the conditional access rule in Azure AD.