Which Azure Active Directory (Azure AD) feature can you use to restrict Microsoft Intune-managed devices from accessing corporate resources?

Disable ads (and more) with a membership for a one time $4.99 payment

Study for the Microsoft SC-900 Exam. Master key concepts with targeted flashcards and multiple-choice questions, featuring hints and explanations. Get prepared and confident for success!

The correct answer is Conditional access policies because these are specifically designed to manage and enforce access controls based on various conditions for users and devices. In this context, they are effective for restricting access to corporate resources based on the compliance status of Microsoft Intune-managed devices. For example, you can configure policies that only allow access if a device meets specific security requirements, such as being compliant with corporate security standards, or being enrolled in Intune.

Conditional access policies evaluate the context of a user’s sign-in attempt and make real-time decisions about whether to grant access, require additional security measures, or block access entirely. This aligns perfectly with the need to manage access based on the condition of the device, thus enhancing the overall security posture of the organization.

The other options do not serve this specific function. Network security groups (NSGs) are primarily a network security tool used to control inbound and outbound traffic at the instance level in Azure, not device compliance. Azure AD Privileged Identity Management (PIM) deals with role-based access control and the management of privileges within Azure AD, rather than device access control. Resource locks are used to prevent accidental deletion or modification of important Azure resources, which is also unrelated to controlling access based on device compliance.