Mark an Azure AD device as compliant without using Intune

Question

We use MobileIron with on-prem Exchange but are now looking to move some of our users to Office 365. I would like to avoid using a Sentry if possible (i.e. have the user devices go to Office 365 for email etc. directly rather than via the extra hop of a Sentry) but at the same time I want to restrict such access to just company managed devices. Via Conditional Access policies I see that one can set access to be only from devices marked as compliant, but from what I see this is a flag only Intune can set. Is there a way of setting a device as compliant via something like MobileIron?

I am interested in hearing any other suggestions or experiences from others who've had to do something similar. We have a mix of iOS and Android devices all currently managed via MobileIron on-prem. Even if the workaround for now is to manually mark devices as compliant via Graph API or PowerShell that'll do too.

Answer 1

Based on Require device to be marked as compliant document, this option requires a device to be registered with Azure AD, and also to be marked as compliant by:

• Intune
• A third-party mobile device management (MDM) system that manages Windows 10 devices via Azure AD integration. Third-party MDM systems for device OS types other than Windows 10 are not supported.

So currently, iOS and Android devices are not supported.

BTW, Graph API or PowerShell configurations should be the same with what can be done on Azure portal.

Answer 2

Conditional Access Policies already allow non-windows OS devices. Use the filter to include "Trust Type" then select AD Registered or AD Joined as Device needed for non windows and windows devices. Then do a negative operator to say Block all access, UNLESS the Trust type is above. It works, we use it successfully. You just have to AD register your devices, Microsoft has notes on how to AD register devices.