Create a Device-Based Conditional Access Policy

About this task

In Azure AD, create a device-based conditional access policy to control app access based on device compliance status.


  1. Navigate to Microsoft Azure portal and select Azure AD Conditional Access.
  2. Select New Policy to view the New Conditional Access Policy page.
  3. Enter a name for the new policy.
  4. Select Users and Groups then select an option such as All Users.
    Tip: Depending on licensing and permissions, Users and Groups may have alternate labels, such as Users or Users or workload identities.
  5. Select Cloud apps, then select the Exclude tab.

    If you choose Select Apps instead of All Cloud Apps, do not add an app related to, or named, "MobiControl" under Include. Include means that if the device becomes non-compliant, any applications included will have their access blocked. Excluded apps will not have their access blocked.

    If you choose All Cloud Apps, you do not have to add anything to Include. All Cloud Apps and Select Apps should continue to exclude Microsoft Cloud App Security.

  6. From Select excluded cloud apps, select Microsoft Cloud App Security.

    Azure Conditional Access Policy

  7. Select the disable security defaults link. Link to disable security defaults
  8. In the Enable security defaults panel, under Enable security defaults, select No. Select Save.
  9. Select more conditions to grant access (such as Locations).
  10. Under Access Controls, select Grant then Require device to be marked as compliant. Choose Select to accept.
  11. Under Enable policy, select On, then Create to create the conditional access policy.

What to do next

The next step in integrating Microsoft 365 is connecting SOTI MobiControl to Microsoft Endpoint Manager.