Block file download in O365 for non intune compliant device

Senior Member

Hi all


I would like to block some users from download attachment in the non intune compliant device, so I first configured a conditional policy with custom session policy for all browser traffic to MCAS. Then I configured a session policy to find device tag does not equal intune compliant to block the file download.




Then when I test to download attachment in O365 with Edge browser ina Win 10 and Android which is intune enrolled, but the user agent tag has only Azure AD joined, not intune compliant (but I checked the device is compliant in endpoint manager). So may I know any one tried this setup?


Best regards


Alex Tsang


1 Reply



Hi Alex,


Unfortunately, session policies only work for Browser and in this case, the Android would not get this session policy. Are you saying that the Android is popping up as AAD joined instead of Intune compliant? Lastly, for the Browser, is that working?


Thank you!