# CA - Require Complaint Device ### **Required AAD-role for Conditional Access Policy:** Global Administrator, Conditional Access Administrator ### Conditional Access Policy {% hint style="danger" %} You must have [Compliance Policies](https://endpoint.microsoft.com/#view/Microsoft_Intune_DeviceSettings/DevicesIosMenu/~/compliancePolicies) configured for your Devices, before you configure this Conditional Access Policy, else lock yourself out and access will be blocked. {% endhint %} 1. Login to Endpoint Manager with your Admin-Account 2. Go to Endpoint security → Conditional access or follow this link:\ [Conditional Access - Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/#view/Microsoft_AAD_IAM/ConditionalAccessBlade/~/Policies) 3. Click on **New policy** to create a new Conditional Access policy 4. Enter a Name for the Policy e.g. “Secure Contacts Conditional Access Policy” 5. Go to ***Users or workload identities*** in *Assignments* 6. *Include* your SCA-Testgroup to **Users and Groups**\ \ ![](https://3880789596-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4v109br9tFl1Rxk2qP0x%2Fuploads%2FOOeW5YpoFjGibMLwt8sJ%2Fimage.png?alt=media\&token=6bbf107a-469e-485e-818e-395236045501)
7. Go to ***Cloud apps or actions*** in *Assignments* 8. *Include as Cloud Apps the apps* **Office 365** and **Provectus - Secure Contacts**

9. Set mandatory Conditions for your environment e.g. tick as a Condition for Client apps the value *Mobile apps and desktop clients* 10. Go to *Grant* in the *Access controls* pane 11. Set **Require compliant device**

1. Set *Enable Policy* to **On** 2. Click on **Create**