Hi,
You should test something like this in conditional access:
Create one rule to block access to all cloud applications:
- All users except break glass accounts, except AAD group for desktop access, except AAD group for mobile access
- All Cloud Apps
- Any Device
- Block Access
Desktop access
- Selected AAD group with users, except break glass accounts
- All Cloud Apps
- Device platform: Windows
- Grant access, Require MFA or Require device to be marked as compliant
Mobile access
- Selected AAD group with users, except break glass accounts
- All Cloud Apps
- Device platform: Android, iOS
- Grant access, Require MFA or Require device to be marked as compliant
Please test this on a limited subset of users.
Best of luck,
Simon