Audit. Harden. Automate. Intune and Exchange configured to best practices, with security you can measure.
Most Intune projects fail quietly after deployment — not because the configuration is wrong, but because nobody builds an operational rhythm to keep it healthy. This final part fixes that.
Transport rules have been in Exchange since the on-prem days. Microsoft keeps adding newer policy engines, but mail flow rules remain the workhorse for anything those engines do not cover. This article covers the baseline rules most tenants need, external sender tagging (custom vs native), disclaimers, security-focused patterns, encryption triggers, the AND/OR condition logic trap, rule priority and stop processing, where transport rules overlap with Purview DLP and Defender, PowerShell management patterns, limits and constraints, and a 14-point audit checklist.SPF, DKIM, DMARC, MTA-STS and TLS-RPT done properly for Exchange Online — the order of operations, the Exchange Online-specific gotchas, and how to get to DMARC p=reject without breaking mail flow.
Every Zero Trust deployment has gaps. The slide decks do not mention them. The vendor assessments gloss over them. But they are there, in every tenant. This article is the honest assessment: the BYOD browser gap where unmanaged browsers bypass app protection entirely, legacy apps that cannot do modern auth and sit outside the CA perimeter, printers and IoT devices that cannot authenticate, third-party VPNs that mask device posture, service accounts that cannot do MFA, guest users with unknown MFA quality and no device compliance, a gap severity matrix, and a practical gap assessment checklist. Zero Trust does not fail because of technology. It fails because of compromises made for usability, legacy systems, and operational reality.
Intune compliance policies check device health. Conditional Access enforces access decisions based on that health. Without Conditional Access, compliance is monitoring. Without compliance, Conditional Access is guessing. This article covers the full device pillar implementation: compliance policies for Windows, macOS, iOS, and Android, Defender for Endpoint risk score integration, Conditional Access grant controls that require compliant devices, app protection policies for BYOD (MAM-WE), the "Require approved client app" retirement (June 30, 2026) and the OR transition pattern to "Require app protection policy," and a phased rollout approach that avoids the day-one lockout mistake.