How can I block all mail apps that have AI capability from authenticating with Office 365 in my organization?

Hello Thomas Dalhover

Good day and hope you are doing well.

I'm kindly reaching out to get an update on the issue. Please did you implement the suggested steps to mitigate the issue?

Please feel free to repost or submit comment and Vote on thread if you find the information helpful**.** Your vote will make the thread superior content and help other users in the community facing the same issue.

Thank you very much for your valuable time and cooperation.

Sincerely

Bertrand

Hello Thomas Dalhover

Good day and thanks for reaching out.

We noticed our initial response wasn't helpful. However, have you tried Revoking Permissions for Existing Apps. Review permissions granted to applications - Microsoft Entra ID | Microsoft Learn

• In the Azure portal, navigate to Azure Active Directory > Enterprise applications > All applications.
• Search for any existing instances of Canary Mail, Spark, or other unwanted applications.
• Select the application and go to the Permissions section to revoke any granted permissions.

Revoking permissions in Azure will effectively stop the applications from accessing Microsoft services, thereby disabling them from operating within your organization's environment. If you have users who are already using these applications, you may want to notify them about the change to avoid disruption to their workflow.

Hope this helps! Please feel free to reach out if you need further assistance with the issue. We will be happy to help.

Sincerely,

Bertrand

Hi Bertrand,

Yes, I have created both a conditional access policy and an app protection policy. So far, it has successfully blocked other mail apps and my test group can only use native iOS/Android apps and the Outlook mobile app, which is what I need it to do. But all of these apps that have AI functions like Canary Mail and Spark ask for IT admin approval to use. I am trying to disable authentication for those apps as well.

Furthermore, we already have an admin consent set for applications like the ones I listed. We are looking to block them from authenticating at all.

Hello Thomas Dalhover

Good day and thanks for reaching out.

The situation you've described suggests that you want to block all mail apps that have AI capability from authenticating with office 365. To block mail apps with AI capabilities from authenticating with Office 365 in your organization, you can use a combination of Microsoft Entra (formerly Azure AD) Conditional Access policies and Microsoft Defender for Cloud Apps. However, can you confirm if you have implemented the steps below.

1. Have you previously restricted access for any specific applications conditional access policy? Utilize Azure Active Directory (Azure AD) to create Conditional Access policies. Navigate to Azure Active Directory > Enterprise applications > User consent settings. Go to Azure Active Directory > Security > Conditional Access and create a policy that targets specific applications and platforms Cloud apps, actions, and authentication context in Conditional Access policy
2. Does your organization use Microsoft Intune? If yes, you can create App Protection Policies specifically to manage the behavior of corporate applications. Troubleshoot Microsoft Intune app protection policy deployment
3. What authentication method are you currently using for Office 365 (Modern Authentication, Basic Authentication)? If you are using Modern authentication, have you tried to disallow user consent to third-party applications that utilize OAuth 2.0? **** Configure how users consent to applications - Microsoft Entra ID | Microsoft Learn

Kindly let us know if the issue persists after implementing the above steps so we can proceed to the next step. Please understand that our initial response may not always resolve the issue immediately. However, with your help and more detailed information, we can work together to find a solution.

Thanks for you valuable time and cooperation.

Sincerely,

Bertrand