Conditional Access - block ODfB sync, but allow Teams app

AndAuf 16 Reputation points

Hi all,

im have a problem with allowing/blocking the following:

  • Devices which are not compliant (not Intune-managed, not (hybrid) Entra joined) must not sync using ODfB client
  • The same devices which are not managed/compliant may use Teams app if they want to
  • (BYOD, Self-enrollment,... is no option. unmanaged devices stay unmanaged)

I have a CA-Policy which does the first part very well. But I have no idea how to get the second part, as both ODfB and Teams are "Office 365 SharePoint Online" and "modern auth apps" for CA. There is no specific Sync client which I could block and there is no specific Teams app I could allow. Also we have autopiloted Entra-only devices, so I cannot use "allow devices of specific domains" anymore. So how can I achieve this pretty common scenario?

A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
8,607 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
17,589 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Andy David - MVP 134K Reputation points MVP

  2. Givary-MSFT 22,726 Reputation points Microsoft Employee

    @AndAuf Thank you for reaching out to us, As I understand you want to block Onedrive & Allow access to teams from unmanaged devices, did check with my team and performed a quick repro on this and followed the steps as mentioned here - which will help to achieve your ask.

    MicrosoftTeams-image (9)

    Let me know if you have any further questions, feel free to post back.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.