How can I restrict users to using Outlook to access emails on both managed and unmanaged devices and prevent them from using IMAP clients (e.g. Mozilla Thunderbird) using Conditional Access Policies?

Question

Redirect from https://learn.microsoft.com/en-us/answers/questions/1526387/how-can-i-restrict-use-of-imap-clients-even-when-i I have enabled IMAP protocol on one shared and one delegate mailbox. So that an application with delegated graph permissions can read emails from the mailbox using OAUTH 2.0. I want to ensure users do not use an IMAP client (e.g. Mozilla Thunderbird) to read emails on either managed or unmanaged devices.

Answer 1

@Anindya Kumar Banerjee
Thank you for posting this in Microsoft Q&A. Blocking outlook alone on a device is not possible. Because there are some other services also that depends on outlook, like teams etc.

To block them via conditional access policy you can configure Azure to block any request which is not coming from approved client apps or app protection policy. Below are the list of approved client apps,

Outlook is also part of approved client apps. And regarding blocking clients on accessing exchange online from IMAP clients you can configure "other clients" option under conditions in conditional access policy. "Other clients" include all clients which uses POP, IMAP, SMTP etc protocols.

Let me know if you have any further questions. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hi Anindya, I suspect you'd need something like Entra SSE for that. https://www.youtube.com/watch?v=4RVkbKjeU10 https://techcommunity.microsoft.com/t5/microsoft-entra-blog/microsoft-entra-expands-into-security-service-edge-with-two-new/ba-p/3847829 https://learn.microsoft.com/en-us/entra/architecture/sse-deployment-guide-m365