Azure AD Conditional Access policies are the appropriate tool for this requirement. They function as if-then statements, evaluating signals from users, devices, and locations to enforce organizational access rules. A Conditional Access policy can be configured to use "device compliance" as a condition for granting access. In this scenario, a policy would grant access to the Azure AD-integrated applications only if the user's device is marked as compliant by a management solution like Microsoft Intune, which can verify that the latest security patches are installed.

A. Azure Bastion: This service provides secure RDP and SSH connectivity to Azure virtual machines directly through the Azure portal, not for controlling access to applications based on device health.

C. Azure Policy: This service enforces rules and standards for Azure resources to ensure they remain compliant with corporate standards, but it does not manage user access to applications.

D. Azure Firewall: This is a network security service that protects Azure Virtual Network resources by filtering network traffic; it does not evaluate the compliance state of endpoint devices.

1. Microsoft Learn, "What is Conditional Access in Azure Active Directory?"

Section: Common signals

Content: "Device compliance - Users with devices marked as compliant with a specific policy can be differentiated from users with noncompliant devices." This document establishes that device compliance is a primary signal used by Conditional Access.

2. Microsoft Learn, "Conditional Access: Grant"

Section: Require device to be marked as compliant

Content: "This control requires that the device the user is signing in from is marked as compliant by a mobile device management (MDM) solution like Microsoft Intune... If a device isn't registered with an MDM solution, access is blocked." This directly confirms that requiring a compliant device is a grant control within Conditional Access.

3. Microsoft Learn, "Use compliance policies to set rules for devices you manage with Intune"

Section: How Intune device compliance policies work

Content: This document explains how Microsoft Intune evaluates device settings, such as OS version and security patch levels, to determine if a device is compliant. This compliance status is then reported to Azure AD for use in Conditional Access policies.