Your MDM is not compliant state ready
Just use it if your Mobile Device Management is not ready for sending the compliant state to Azure AD
Your MDM cannot sent or your MDM is not ready to sent the compliant state to Azure Active Directory, because of different reason. That could one solution be that you build an automation around it.
With the new Device Filter Options in Conditional Access (Still in preview (11.11.2021)) there is an opportunity to make it simple.
- Take the compliant State information out of your current MDM. (CSV, API or whatever it provides you the information)
- Take this info and update alle the devices with hopefully are already registered in AzureAD (registered or joined make not different) and update the Device.ExtensionAttributes. This can be achieved through Graph API MSGraph Device Update. Please be careful with Directory.ReadWrite.All permission!
- Build an Conditional Access Policy like this:
Users -> All Exclude Emergency Access Accounts
- Apps -> All
- Conditions: DeviceFilters (preview) -> device.extensionAttribute10 -ne “compliant”
- Control -> RequireMFA
Then you should have a solution that helps a BUT the goal should be -> MDM sent compliant state to AzureAD like Intune!