Share via

How to block web app access on personal devices through conditional access policies

Matthew Seah 0 Reputation points
2024-07-02T02:38:42.55+00:00

Hello, I'm trying to find a method to block users from accessing various O365 web apps on their personal devices.

Is creating a conditional access policy in Intune the best way to go about this?

We allow users to use the Outlook mobile app on a single unmanaged device but want to restrict them from using web browsers on personal devices to access stuff like our corporate OneDrive, Outlook and various other web apps. As a test, I created the following conditional access policy as shown below and applied it to User1. However, this user is still able to access Outlook web and OneDrive and all O365 web apps from his iPhone.
What am I missing? **

Conditional Access policy settings**

Assignment
Users - Specific Users included:

  • User1

Target resource:

  • Office 365
  • Office 365 Exchange Online
  • Office 365 SharePoint Online

Network:

  • Any network or location

Conditions
Device platform:

  • iOS

Filter for devices:
Include filtered devices in policy

  • Device ownership = Personal

Access controls

  • Block access
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,176 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deepanshukatara-6769 10,130 Reputation points
    2024-07-02T04:54:35.9+00:00

    Hi Matthew, Welcome to MS Q&A

    Under Enable policy, select On. By default, the policy is set to Report-only.

    Please check attached Image and below URL for more detailed ref

    User's image

    https://learn.microsoft.com/en-us/mem/intune/protect/create-conditional-access-intune

    Kindly accept answer if it helps,

    Please let us know if any further questions

    Thanks

    Deepanshu

    0 comments
  2. Crystal-MSFT 49,271 Reputation points Microsoft Vendor
    2024-07-02T05:38:42.0566667+00:00

    @Matthew Seah, Thanks for posting in Q&A. Please also ensure the client app under conditions are also set with "Browser".

    User's image

    https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions#client-apps

    And the policy is on.

    User's image

    If it is still not working, please look through the sign in log to see if the conditional access policy is applied.

    https://learn.microsoft.com/en-us/entra/identity/monitoring-health/how-to-view-applied-conditional-access-policies

    Hope the above information can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.