How to Restrict Access to a Web Application Based on Device Compliance Using Intune and Azure AD?

Mohan s 20 Reputation points
2024-11-04T09:59:18.2+00:00

I am currently using Microsoft Intune to manage access to a third-party web application that I have registered as a web link app type. I’ve successfully added the application in Intune, and it appears in the Company Portal. However, I am facing an issue where users can share the link to the web application with others who do not have the Company Portal app installed. As a result, these users can access the application from non-compliant devices, which I want to prevent.

Requirements:

  • I need to restrict access to the web application so that it can only be opened on devices that are compliant with our Intune policies.
  • If a user tries to access the application on a non-compliant device (even if they have the link), they should be blocked from opening the application.

Steps Taken:

  1. Conditional Access Policies: I have created a Conditional Access policy in Azure AD that requires devices to be compliant to access the application.
  2. Compliance Policies: I have set up compliance policies in Intune to define the compliance criteria for devices.

Questions:

  1. What additional configurations or steps should I implement to ensure that only compliant devices can access the web application, particularly to prevent link sharing?
  2. Are there specific Intune App Protection Policies I should apply that would further restrict access based on device compliance?

Any guidance or best practices on how to effectively enforce these restrictions would be greatly appreciated!

Microsoft Intune iOS
Microsoft Intune iOS
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.iOS: An Apple mobile operating system.
237 questions
Microsoft Intune Android
Microsoft Intune Android
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Android: An open-source mobile platform based on the Linux kernel, developed by Google, and maintained by the Open Handset Alliance.
307 questions
Microsoft Intune Application management
Microsoft Intune Application management
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Application management: The process of creating, configuring, managing, and monitoring applications.
963 questions
Microsoft Intune Compliance
Microsoft Intune Compliance
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Compliance: Adhering to rules, standards, policies, and laws.
170 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,251 questions
{count} votes

1 answer

Sort by: Most helpful
  1. ZhoumingDuan-MSFT 14,050 Reputation points Microsoft Vendor
    2024-11-05T02:52:03.3933333+00:00

    @Mohan s, Thanks for posting in Q&A.

    From your description, I know you want to restrict access to a web application using Intune and have created Conditional Access Policies and Compliance Policies.

    Based as I know, Conditional access policy prevents access to a resource by blocking the target resource, through your description, devices that do not comply with the conditional access policy can still access the application, it may be because you configured the Target Resource incorrectly, so please check if your target resource is correct.

    User's image

    Here is a link about all resource we can configure.

    https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps

    Also, please look through the sign in log to see if the conditional access policy is working properly.

    https://learn.microsoft.com/en-us/entra/identity/monitoring-health/how-to-view-applied-conditional-access-policies

    Please check above information, if there is any update, feel free to let me know.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.