Configure Conditional Access to Exchange Online based on Mobile Device Compliance –
This only applies when managing devices with Intune integrated into ConfigMgr. Essentially, the lesson here is to do all your compliance management from the ConfigMgr console. Do not use the Intune administrative console (manage.microsoft.com) other than to enable Exchange Online Conditional Access.
How to do it wrong –
Enable conditional access from the Intune management console (manage.microsoft.com).
Create a compliance policy in the Intune console.
Deploy it to some or all users.
Wait 10 minutes
Check compliance on mobile device. (should be compliant)
Enroll a new device.
You are probably unable to enroll any new devices at this point.
Remove the Compliance Policy from Intune console and your problems go away.
How to do it right –
Enable conditional access from the Intune Management console (manage.microsoft.com)
In the ConfigMgr console create a Mobile Device Policy Baseline with a compliance item specifying a password policy for mobile devices (example)
Deploy it to your managed users.
Wait 10 minutes.
Check compliance on existing mobile devices
Enroll new devices.
This is how you configure compliance with Intune Integrated with ConfigMgr. Use the ConfigMgr Console and stay out of the Intune admin console.