Microsoft Intune: Control Who Reaches Your Data

Microsoft Intune is the Microsoft 365 service that decides whether a device is allowed to reach your company data, checking each one against your compliance policies and blocking any that fall short before it connects.

 

A staff member logs in from a personal laptop with no passcode, no encryption, and a two-year-old operating system. Does that laptop reach your email and files? For most businesses, the honest answer is yes.

This guide is about the part of device management most owners never see: the check that happens the instant a device tries to connect. It explains how Microsoft Intune turns your security rules into an access gate, so a device that fails the rules is stopped rather than trusted. It is written for business owners and managers, not IT specialists.

Managing the devices themselves is a related job, and we cover that separately in our guide to mobile device management. Here the focus is narrower and, for many businesses, more important: making compliance the condition of access.

What Is Microsoft Intune and What Does It Actually Do?

Microsoft Intune is a cloud service, included with several Microsoft 365 plans, that sets the rules a device must meet and then enforces those rules at the point of access. It does two connected jobs: it defines what a healthy, trusted device looks like, and it decides who gets in based on that definition.

The second job is the one that changes how safe your business really is. Rather than hoping every device is set up correctly, you let the platform check each one against your standard every time it asks for company data. A device that meets the standard connects. A device that does not is held back until it is fixed.

How is this different from just managing devices?

Managing a device means configuring and securing it. Gating access means deciding, in real time, whether that device is currently allowed in. Intune does both. The access decision is the part that stops an unmanaged or unhealthy device from reaching your data when nothing else would.

The distinction is easy to miss because both jobs live in the same place. A business can enrol every device, tick the box marked done, and still leave the door open, because enrolment on its own never checks whether a device is allowed in when it connects. The value is not in owning the device list. It is in acting on it at the moment of access.

What problem does it actually solve for an owner?

It removes the unspoken assumption that every device touching your data is safe. Most breaches in small businesses do not begin with a dramatic hack. They begin with an ordinary device that should never have had access. A personal laptop, an old phone, a former staff member’s tablet, connecting to company data because nothing was there to say no. That is the assumption the platform is built to end.

Where does Intune sit in your Microsoft 365 setup?

Intune is part of the same platform as your email, files, and accounts. That is why it can make an access decision that combines who the user is with how healthy their device is. It works alongside your Microsoft 365 apps rather than bolting on from outside, which keeps the check fast and consistent.

How Do Compliance Policies Define a Trusted Device?

A compliance policy is your written security standard turned into a rule the platform can check automatically. It lists the conditions a device must satisfy, such as an enforced passcode, active encryption, a current operating system, and no jailbreak or tamper. Each device is then marked compliant or non-compliant against that policy.

This matters because compliance is the signal everything else depends on. Once a device is labelled non-compliant, you can decide what happens next, from a gentle prompt to a hard block. The policy is where you draw the line between a device you trust and one you do not.

 

Microsoft Intune compliance policy: flat vector showing a device checked against passcode, encryption, and OS rules, marked compliant or not.

What can a compliance policy check?

Common checks include a minimum operating system version, disk encryption, a required screen lock, a healthy security state, and whether the device is enrolled and known at all. You set the baseline once, and every enrolled phone, tablet, and laptop is measured against it continuously rather than at a single point in time.

What happens when a device falls out of compliance?

The device is flagged, the user is usually told what to fix, and access can be restricted until it is put right. An encryption toggle switched off or an overdue update moves a device from compliant to non-compliant, and the access rules respond automatically. Nobody has to notice the problem manually for the gate to react.

This continuous checking keeps the standard in place over time. A device that was compliant when it was set up can drift, as software ages, settings change, or a user disables a control. Because the check repeats on every connection rather than once at enrolment, drift is caught early and the device is nudged, or held, back into line before it becomes a real exposure.

Can you set different rules for different devices?

Yes, and most businesses should. A company-owned laptop handling client records can be held to a stricter standard than a personal phone used only for calendar and chat. You can group devices and apply the policy that fits each group, so security is proportionate rather than one blunt rule that either frustrates staff or leaves gaps. The aim is a baseline everywhere and tighter control where the data is most sensitive.

What Is Conditional Access and Why Does It Matter Most?

Conditional access is the rule that connects a device’s compliance status to whether it can reach company data. This is the gate itself. In plain terms it says: if a device is not compliant, do not let it in, no matter who is signing in or which password they have. Device compliance is no longer just a report you read after the fact. It is the live condition a device has to meet to get in at all.

This is the single most valuable thing the platform does for a business, and it is the part device management alone does not give you. A stolen password is far less dangerous when the attacker’s device is unknown and non-compliant, because conditional access refuses the connection before the data is ever exposed.

How does a conditional access decision work?

When someone tries to open company email or files, the platform checks the signals in real time: is the user who they claim to be, is the device enrolled, and is it compliant right now. If every condition is met, access is granted. If the device is non-compliant or unrecognised, access is blocked or limited. The check happens in seconds and repeats each time.

How does this strengthen identity security?

Conditional access is where device health and user identity meet. A password on its own proves little; a compliant, enrolled device proves the connection is coming from somewhere you trust. This is why conditional access is a core part of a modern identity and access management approach, not a separate feature bolted on top of it.

What does conditional access look like in real situations?

Consider three everyday cases. A staff member on a compliant work laptop opens their email and connects instantly, because every condition is met. The same person on an unmanaged home computer is allowed limited web access but blocked from downloading files, because the device is not trusted. An attacker with a stolen password on an unknown device is refused outright, because the device is neither enrolled nor compliant.

In each case the password is the same. What changes the outcome is the device. Conditional access lets you treat a healthy company device and an unknown one very differently, even when the login details are identical, so a stolen password no longer works as a master key on its own.

Can Microsoft Intune Control Apps and Data as Well as Access?

Yes. Alongside the access gate, Intune deploys approved apps to devices and controls what those apps are allowed to do with company data. A compliant device that connects arrives already carrying the right tools, configured the way you intend, ready to work.

App control also lets you protect data inside an app without owning the whole device. You can allow work email on a personal phone while blocking that email from being copied into a personal cloud drive, so the data stays inside your boundary even on hardware you do not manage.

 

Microsoft Intune conditional access: flat vector showing a device checked for user and compliance, then access granted or blocked.

How does app deployment save time?

Approved business apps are pushed to devices automatically as part of joining the system, so a new laptop or phone is ready to work without someone installing software by hand. Updates and settings follow the same path. It removes the slow, manual setup that eats hours every time a device changes.

Does app control work on personal devices?

It does, and this is where it pairs with wider endpoint security. App protection rules can govern company data inside specific apps on a personal phone, keeping work content managed while leaving the rest of the device alone. The device stays personal; the company data inside it stays controlled.

For a business owner this is often what makes strict access rules acceptable to staff. People are wary of handing full control of a personal phone to their employer, and rightly so. Protecting only the company data inside the work apps, rather than the whole device, removes that objection while still keeping conditional access meaningful, because the app itself will only release data to a device the rules trust.

How Do You Get Microsoft Intune Working for Your Business?

You start by confirming your licence, then set your compliance baseline, connect it to conditional access, and roll it out to devices in a controlled way. The order matters: define the trusted-device standard first, then make that standard the condition of access.

Most New Zealand SMEs already have the licence. The platform is included with Microsoft 365 Business Premium and the Microsoft 365 Enterprise plans, so the real work is configuration and rollout, not a large new purchase. The value comes from setting it up deliberately rather than leaving the defaults untouched.

What does a sensible rollout look like?

A good rollout enrols devices, applies a clear compliance policy, and switches on conditional access in a staged way so nobody is locked out by surprise. It is tested on a small group first, communicated to staff, and then extended. Rushing straight to a hard block across every device is the fastest way to a bad first week.

Communication matters as much as configuration. Staff accept an access check far more readily when they understand it protects the business and their own work, and when they know a healthy device simply connects as normal. A short explanation before the rules go live prevents most of the confusion and support calls that a silent rollout would create.

What is the most common setup mistake?

The most common mistake is enrolling devices but never connecting compliance to access. Businesses often manage their devices and stop there, leaving the gate wide open. Without conditional access in place, a non-compliant or unknown device can still reach company data, which defeats much of the point of the platform.

What does it cost to run?

For most businesses the licence cost is already covered inside an existing Microsoft 365 plan, so the ongoing spend is small. The real cost is the initial configuration and the light-touch review that keeps policies current as devices and staff change. Compared with buying a separate security product, using capability you already pay for is usually the cheaper and simpler path, provided it is set up with intent rather than left on defaults.

It also reduces hidden costs elsewhere. Automatic app deployment and self-healing compliance checks cut the manual hours spent setting up devices and chasing users to fix settings. The clearest return, though, is the breach that never happens because an unhealthy device was turned away at the door rather than trusted by default. For a small team without a dedicated security specialist, that automatic gate is doing the job a person would otherwise have to do by hand, every day, without fail.

Turn On the Access Gate With Exodesk

Exodesk helps Christchurch, Dunedin, and South Island businesses set up Microsoft Intune so compliance actually controls access, often using the Microsoft 365 licences you already pay for. Our cyber security specialists configure the policies and conditional access rules that keep unhealthy devices away from your data.

Contact us today to discuss how we can help your business or connect with us on LinkedIn to stay updated with more insights.

Frequently Asked Questions

What is Microsoft Intune?

Microsoft Intune is a cloud service, included with several Microsoft 365 plans, that sets the security rules a device must meet and enforces them at the point of access. It measures each device against the standard you define and, through conditional access, decides whether that device may reach company data. It manages devices and apps, but its most valuable job is gating access for anything non-compliant.

What is conditional access in Microsoft Intune?

Conditional access is the rule that ties a device’s compliance status to whether it can connect to company data. If a device is not compliant or not recognised, access is blocked or limited, regardless of who is signing in. It is the gate that stops an unhealthy or unknown device before it reaches your email and files.

What is a compliance policy?

A compliance policy is your security standard written as rules the platform checks automatically, such as an enforced passcode, active encryption, and a current operating system. Each device is marked compliant or non-compliant against it. That status is the signal conditional access uses to allow or block a connection.

How is Microsoft Intune different from mobile device management?

Mobile device management is the broader practice of enrolling and controlling devices, while Microsoft Intune is the Microsoft 365 tool that delivers it and adds the access gate. The key difference in practice is conditional access. Beyond managing a device, Intune decides in real time whether that device is currently allowed to reach your data.

Do I already have Microsoft Intune?

Very likely. Microsoft Intune is included with Microsoft 365 Business Premium and the Microsoft 365 Enterprise plans, so many New Zealand SMEs already hold a licence for it. The usual gap is not the licence but the setup, as the platform sits switched on and unused.

Does Microsoft Intune stop stolen passwords being used?

It greatly reduces the risk. Even with a correct password, conditional access blocks a sign-in from a device that is not compliant or not enrolled. Because most attackers use their own unknown device, the connection is refused before any data is exposed, so a leaked password alone is far less useful to them.

Can Microsoft Intune manage apps as well as access?

Yes. It deploys approved apps to devices automatically and controls what those apps can do with company data. On a personal phone it can protect work content inside specific apps, such as blocking company email from being copied into a personal cloud drive, without managing the whole device.

Will conditional access lock my staff out?

Not when it is rolled out carefully. A sensible setup tests the rules on a small group, communicates the change, and extends it in stages rather than switching on a hard block everywhere at once. Staff on healthy, enrolled devices simply connect as normal and rarely notice the check.

How does Microsoft Intune support the Privacy Act?

It gives you evidence and control. You can show that devices reaching personal information were compliant and encrypted, and that access was cut when a person left. Blocking non-compliant devices from data supports your obligation under the Privacy Act 2020 to keep personal information secure, and it is increasingly expected by cyber insurers.

Is Microsoft Intune worth setting up for a small business?

For most, yes, especially since the licence is often already paid for through Microsoft 365. The main investment is the time to configure compliance policies and conditional access properly. Weighed against a single breach caused by an unmanaged device reaching your data, that setup is inexpensive protection.

Start typing and press Enter to search

Server virtualisation: flat vector of several physical servers consolidating into one host running virtual machines.Email migration: flat vector of mailboxes moving from an old server to a cloud email platform with mail intact. Call Us Now