azure-ad-graph-apimdmmobileiron

Mark an Azure AD device as compliant without using Intune


We use MobileIron with on-prem Exchange but are now looking to move some of our users to Office 365. I would like to avoid using a Sentry if possible (i.e. have the user devices go to Office 365 for email etc. directly rather than via the extra hop of a Sentry) but at the same time I want to restrict such access to just company managed devices. Via Conditional Access policies I see that one can set access to be only from devices marked as compliant, but from what I see this is a flag only Intune can set. Is there a way of setting a device as compliant via something like MobileIron?

I am interested in hearing any other suggestions or experiences from others who've had to do something similar. We have a mix of iOS and Android devices all currently managed via MobileIron on-prem. Even if the workaround for now is to manually mark devices as compliant via Graph API or PowerShell that'll do too.


Solution

  • Based on Require device to be marked as compliant document, this option requires a device to be registered with Azure AD, and also to be marked as compliant by:

    So currently, iOS and Android devices are not supported.

    BTW, Graph API or PowerShell configurations should be the same with what can be done on Azure portal.