Entra conditional access (#32298)

- Add key detail about creating and assigning users to the "Fleet
conditional access" group
- Also update guide to use step by step format like we have for other
guides:
https://fleetdm.com/guides/entra-conditional-access-integration#basic-article

---------

Co-authored-by: Eric <eashaw@sailsjs.com>

articles/entra-conditional-access-integration.md

@@ -1,13 +1,19 @@
-# Entra conditional access integration
+# Conditional access: Entra
 
-Fleet v4.70.0 integrates with Entra ID to provide Microsoft "Conditional Access" for macOS.
-Fleet can now connect to Microsoft Entra ID and block end users from logging into third-party apps if they're failing any Fleet policies (non-compliant).
+With Fleet, you can integrate with Microsoft Entra ID to enforce conditional access on macOS hosts.
 
-> This feature is only available on Fleet Cloud and currently supports macOS.
+When a device fails a Fleet policy, Fleet can mark it as non-compliant in Entra. This allows IT and Security teams to block access to third-party apps until the issue is resolved.
 
-For more information about this feature see https://learn.microsoft.com/en-us/intune/intune-service/protect/device-compliance-partners.
+[Microsoft](https://learn.microsoft.com/en-us/intune/intune-service/protect/device-compliance-partners) requires that this feature is only supported if you're using Fleet's managed cloud.
 
-### Configure Fleet as compliance partner in Intune
+- [Step 1: Configure Fleet in Intune](#step-1-configure-fleet-in-intune)
+- [Step 2: Create a "Fleet conditional access" group in Entra](#step-2-create-a-fleet-conditional-access-group-in-entra)
+- [Step 3: Connect Fleet to Entra](#step-3-connect-fleet-to-entra)
+- [Step 4: Deploy Company Portal and the Platform SSO configuration profile](#step-4-deploy-company-portal-and-the-platform-sso-configuration-profile)
+- [Step 5: Add Fleet policies](#step-5-add-fleet-policies)
+- [Step 6: Add Entra policies](#step-6-add-entra-policies)
+
+## Step 1: Configure Fleet in Intune
 
 The steps to configure Fleet as "Compliance partner" for macOS devices can be found here: https://learn.microsoft.com/en-us/intune/intune-service/protect/device-compliance-partners. The steps are executed in the Intune portal (https://intune.microsoft.com).
 
@@ -15,48 +21,49 @@ After this is done, the "Fleet partner" will be shown with a "Pending activation
 
 ![Conditional access pending activation](../website/assets/images/articles/compliance-partner-pending-activation-885x413@2x.png)
 
-### "All Company" Intune group requirement
+## Step 2: Create a "Fleet conditional access" group in Entra
 
-Users for which you want "Conditional Access" on Entra must be members of the `"All Company"` group **on Intune**.
+To enforce conditional access, end users must be a member of a group called "Fleet conditional access" in Entra. First create this group in Entra and then assign users to it.
 
-## Setup integration in Fleet
+## Step 3: Connect Fleet to Entra
 
 Now we need to connect and provision Fleet to operate on your Entra ID tenant (activate partner).
 
 To connect Fleet to your Entra account you need your "Microsoft Entra tenant ID", which can be found in https://entra.microsoft.com. You can follow the steps in https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant to get your tenant ID.
 
-Once you have your tenant ID, go to Fleet: `Settings` > `Integrations` > `Conditional access` and enter the tenant ID.
+Once you have your tenant ID, in Fleet, head to **Settings > Integrations > Conditional access** and enter the tenant ID.
 
 ![Conditional access setup](../website/assets/images/articles/conditional-access-setup-554x250@2x.png)
 
-After clicking `Save` you will be redirected to https://login.microsoftonline.com to consent to the permissions for Fleet's multi-tenant application.
+After clicking **Save** you will be redirected to https://login.microsoftonline.com to consent to the permissions for Fleet's multi-tenant application.
 After consenting you will be redirected back to Fleet (to `/settings/integrations/conditional-access`).
 
 The next step is to enable and configure the integration on your teams.
 
-## Configure devices in Fleet
+## Step 4: Deploy Company Portal and the Platform SSO configuration profile
 
 The following steps need to be configured on the Fleet teams you want to enable Microsoft "Conditional Access".
 
-### Automatic install software for Company Portal.app
+### Automatically install Company Portal
 
 To enroll macOS devices to Entra for Conditional Access you will need to configure Fleet to automatically install the "Company Portal" macOS application.
 
 The Company Portal macOS application can be downloaded from https://go.microsoft.com/fwlink/?linkid=853070.
 
-To configure automatic installation on your macOS devices you go to `Software` > `Select the team` > `Add software` > `Custom package`. Upload the `CompanyPortal-Installer.pkg` and check the `Automatic install` option.
+To configure automatic installation on your macOS hosts, head to **Software > Add software > Custom package**. Upload the `CompanyPortal-Installer.pkg` and check the **Automatic install** option.
 
 !['Company Portal.app' automatic install](../website/assets/images/articles/company-portal-automatic-734x284@2x.png)
 
-You should also configure "Company Portal" as a software package to deploy during "Setup Experience" for DEP/ABM devices.
-Go to `Controls` > `Setup experience` > `Install software` > `Add software`, select `Company Portal` for macOS and hit `Save`.
+You should also configure "Company Portal" as a software package to deploy during "Setup Experience" for hosts that automatically enroll (ADE).
+Go to **Controls > Setup experience > Install software > Add software**, select **Company Portal** and select **Save**.
 
-### Label "Company Portal installed"
+### Add "Company Portal installed" label
 
 We will need to create a dynamic label to determine which macOS devices have "Company Portal" installed.
+
 We will use this label to conditionally deploy a Platform SSO configuration profile (next step).
 
-Go to `Hosts` > `Filter by platform or label` > `Add label +` > `Dynamic`.
+Head to **Hosts > Filter by platform or label > Add label + > Dynamic**.
 
 - Name: `Company Portal installed`
 - Description: `Company Portal is installed on the host.`
@@ -66,13 +73,13 @@ Go to `Hosts` > `Filter by platform or label` > `Add label +` > `Dynamic`.
   ```
 - Platform: `macOS`
 
-### Platform SSO configuration profile
+### Depoloy Platform SSO configuration profile
 
 For Entra's "Conditional Access" feature we need to deploy a Platform SSO extension for Company Portal.
 The extension must be deployed via configuration profiles. For more information see https://learn.microsoft.com/en-us/intune/intune-service/configuration/platform-sso-macos#step-3---deploy-the-company-portal-app-for-macos.
 
-Go to `Controls` > `OS settings` > `Custom settings` > `+ Add profile`.
-Set `Target` > `Custom` > `Include all` and select `Company Portal installed`.
+Head to **Controls > OS settings > Custom settings > + Add profile**.
+Set **Target > Custom > Include all** and select **Company Portal installed**.
 
 Upload the following configuration profile:
 `company-portal-single-signon-extension.mobileconfig`:
@@ -146,17 +153,17 @@ Upload the following configuration profile:
 
 > `UserSecureEnclaveKey` will be mandatory starting in Q3 2025, see https://learn.microsoft.com/en-us/entra/identity-platform/apple-sso-plugin#upcoming-changes-to-device-identity-key-storage.
 
-## Configure Fleet policies for Conditional Access
+## Step 5: Add Fleet policies
 
-The final step is to configure Fleet policies that will determine whether a device is marked as "compliant" or "not compliant" on Entra.
+The final step is to add policies in Fleet that will determine whether a device is marked as "compliant" or "not compliant" on Entra.
 
-Go to `Policies` > `Select team` > `Automations` > `Conditional access`.
+Head to **Policies > Select team > Automations > Conditional access**.
 1. Make sure the feature is enabled for the team.
 2. Check the policies you want for Conditional access.
 
-## Configure "Conditional Access" policies on Entra
+## Step 6: Add Entra policies
 
-Once Fleet policies are configured you also need to configure Entra ID "Conditional Access" policies to block end-users access to specific resources when Fleet reports non-compliance.
+After you add policies in Fleet, you also need to add Entra ID "Conditional Access" policies to block end-users access to specific resources when Fleet reports non-compliance.
 [Building a Conditional Access policy](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policies) outlines the steps to create such policies on Entra ID.
 
 For instance, you can create a policy to "block access to Office 365 on macOS devices reported as non-compliant by Fleet":
@@ -166,9 +173,9 @@ Make sure to assign Entra users/groups to the created "Conditional Access" polic
 
 ### Disabling "Conditional Access" on a team
 
-If you need all your hosts on a team to be marked as "Compliant" (e.g. to unblock access to a resource) go to `Policies` > `Select team` > `Automations` > `Conditional access`, uncheck all policies and hit `Save`. The hosts will be marked as "Compliant" the next time they check in with policy results (within one hour, or by refetching manually).
+If you need all your hosts on a team to be marked as "Compliant" (e.g. to unblock access to a resource) go to **Policies > Select team > Automations > Conditional access**, uncheck all policies, and select **Save**. The hosts will be marked as "Compliant" the next time they check in with policy results (within one hour, or by refetching manually).
 
-To disable the "Conditional Access" feature on a team go to `Policies` > `Select team` > `Automations` > `Conditional access` > `Disable`.
+To disable the "Conditional Access" feature on a team head to **Policies > Select team > Automations > Conditional access > Disable**.
 Once disabled, hosts will not be reporting compliance status to Entra anymore.
 
 ## End user experience
@@ -201,11 +208,11 @@ The user will be able to log in again once the failing policies are remediated.
 ### Disabling "Conditional Access"
 
 If you wish to disable the "Conditional Access" feature temporarily, we recommend turning off the "Conditional Access" policies on Entra.
-On Entra, go to `Protection` > `Conditional Access` > `Policies`, then select the policies and turn them off.
+On Entra, go to **Protection > Conditional Access > Policies**, then select the policies and turn them off.
 
-### End users unenrolling from Fleet MDM
+### End users turning off MDM in Fleet
 
-If a user unenrolls from Fleet MDM by going to `System Settings` > `Device Management` and hitting `Unenroll` on Fleet's enrollment profile then Fleet will report the "MDM turned off" state to Intune and the device will be automatically marked as non-compliant on Entra (even if it's passing all Fleet policies).
+If a user turns off MDM by going to **System Settings > Device Management and selecting **Unenroll** on Fleet's enrollment profile then Fleet will report the "MDM turned off" state to Intune and the device will be automatically marked as non-compliant on Entra (even if it's passing all Fleet policies).
 
 ## GitOps
 
@@ -270,9 +277,9 @@ software:
 
 For `lib/team-name/profiles/company-portal-single-signon-extension.mobileconfig`: See [Platform SSO configuration profile](#platform-sso-configuration-profile).
 
-<meta name="articleTitle" value="Entra conditional access integration">
+<meta name="articleTitle" value="Conditional access: Entra">
 <meta name="authorFullName" value="Lucas Manuel Rodriguez">
 <meta name="authorGitHubUsername" value="lucasmrod">
 <meta name="category" value="guides">
 <meta name="publishedOn" value="2025-06-20">
-<meta name="description" value="Learn how managed cloud customers can use Microsoft Entra conditional access with Fleet.">
+<meta name="description" value="Learn how to enforce conditional access with Fleet and Microsoft Entra.">