Miscellaneous policy mapping from Basic Mobility and Security to Intune
This article provides mapping details between Basic Mobility and Security to Intune. Specifically, this page maps the following Microsoft Purview compliance portal policies and device properties to the equivalent policies and properties in the Microsoft Intune admin center:
- Device properties and actions
- Organization-wide device access settings
- Device security policies Name and Description
Intune offers more policy flexibility. So, each Office policy translates into multiple Intune and Microsoft Entra policies to achieve the same result.
If you're migrating from Basic Mobility and Security to Intune, you can use the Migration evaluation tool to automate much of this mapping.
Device properties and actions
To see these settings, sign in to the Microsoft 365 admin center and then select a device.
User
- Devices > All devices > device name > Overview > Enrolled by
Device type
- Devices > All devices > device name > Overview > Operating system
State
This setting isn't a default column in the admin center device list. You can show it by using the Columns picker.
- Devices > All devices > Device state column
OS version
- Devices > All devices > device name > Hardware > Operating system version
Factory reset
- Devices > All devices > device name > Overview > Wipe
Remove company data
- Devices > All devices > device name > Overview > Retire
Organization-wide device access settings
To see these settings in the Microsoft Purview compliance portal, sign in to the Purview compliance portal. Then, select Device security policies > Manage organization-wide device access settings.
These settings are backed by the Conditional Access policy [GraphAggregatorService] Device policy. It includes:
- Device platforms: iOS, Android
- Target client apps: Mobile app desktop clients
- Access controls: require compliant device
If a device isn't supported by MDM for Office 365, do you want to allow or block it from using an Exchange account to access your organization's email?
This setting modifies one classic Conditional Access policy:
- Endpoint security > Conditional Access > Classic policies > [GraphAggregatorService] Device policy > Conditions > Client apps (Preview) > Mobile apps and desktop clients > Exchange ActiveSync clients > Apply policy only to supported platform
Are there any security groups you want to exclude from access control?
This setting modifies five classic Conditional Access policies:
[GraphAggregatorService] Device policy
[Office 365 Exchange Online] Device policy
[Outlook Service for Exchange] Device policy
[Office 365 SharePoint Online] Device policy
[Outlook Service for OneDrive] Device policy
Endpoint security > Conditional Access > policy name > Users and groups > Exclude
Device security policy Name and Description
To see these settings in the Microsoft Purview compliance portal, sign in to the Purview compliance portal. Then, select Device security policies > policy name > Edit policy > Name.
Name
Up to three compliance policies and up to six configuration profiles (three for restrictions and three for email):
- Devices > By platform > Windows > Manage devices > Compliance > policy name_O365_W > Properties > Basics Edit > Name
- Devices > By platform > iOS/iPadOS > Manage devices > Compliance > policy name_O365_i > Properties > Basics Edit > Name
- Devices > By platform > Android > Manage devices > Compliance > policy name_O365_A > Properties > Basics Edit > Name
- Devices > By platform > Windows > Manage devices > Configuration > policy name_O365_W > Properties > Basics Edit > Name
- Devices > By platform > iOS/iPadOS > Manage devices > Configuration> policy name_O365_i > Properties > Basics Edit > Name
- Devices > By platform > Android > Manage devices > Configuration > policy name_O365_A > Properties > Basics Edit > Name
- Devices > By platform > Windows > Manage devices > Configuration > policy name_O365_W_Email > Properties > Basics Edit > Name
- Devices > By platform > iOS/iPadOS > Manage devices > Configuration> policy name_O365_i_Email > Properties > Basics Edit > Name
- Devices > By platform > Android > Manage devices > Configuration > policy name_O365_A_Email > Properties > Basics Edit > Name
Description
Up to three compliance policies and up to six configuration profiles (three for restrictions and three for email):
- Devices > By platform > Windows > Manage devices > Compliance > policy name_O365_W > Properties > Basics Edit > Description
- Devices > By platform > iOS/iPadOS > Manage devices > Compliance > policy name_O365_i > Properties > Basics Edit > Description
- Devices > By platform > Android > Manage devices > Compliance > policy name_O365_A > Properties > Basics Edit > Description
- Devices > By platform > Windows > Manage devices > Configuration > policy name_O365_W > Properties > Basics Edit > Description
- Devices > By platform > iOS/iPadOS > Manage devices > Configuration> policy name_O365_i > Properties > Basics Edit > Description
- Devices > By platform > Android > Manage devices > Configuration > policy name_O365_A > Properties > Basics Edit > Description
- Devices > By platform > Windows > Manage devices > Configuration > policy name_O365_W_Email > Properties > Basics Edit > Description
- Devices > By platform > iOS/iPadOS > Manage devices > Configuration> policy name_O365_i_Email > Properties > Basics Edit > Description
- Devices > By platform > Android > Manage devices > Configuration > policy name_O365_A_Email > Properties > Basics Edit > Description
Related article
To migrate these policies, you can use the Migration evaluation tool.