Hello Juergen_Mang did you test if Intune of Microsoft conditional access are doing checks for each request as from what I have seen they are like F5 APM access policy and doing checks per session not per requests and after that Intine adds a cert on the computer to show it is compliant and Microsoft conditional access also remembers that the user has passed its rules? Maybe I am wrong about Intune and now they can also checks for each request like Access Guard or at a scheduled time like every minute, so I am also interested in what you will find out 🙂
If Intine can't do checks for every request or at a scheduled interval maybe combination between F5 APM and Intune/ Microsoft conditional access will be the best as they have great intergrations for Intune to check stuff first and then F5 Access Guard to do Zero Trust checks per request.
https://community.f5.com/t5/technical-articles/zero-trust-building-blocks-leverage-microsoft-intune-endpoint/ta-p/309715
https://community.f5.com/t5/technical-articles/leverage-f5-big-ip-apm-and-azure-ad-conditional-access-easy/ta-p/301536
All depends what you are trying to do as I do not know your end goal 😀