How to block web app access on personal devices through conditional access policies

Matthew Seah 0 Reputation points
2024-07-02T02:44:12.4633333+00:00

Hello, I'm trying to find a method to block users from accessing various O365 web apps on their personal devices.

Is creating a conditional access policy in Intune the best way to go about this?

We allow users to use the Outlook mobile app on a single unmanaged device but want to restrict them from using web browsers on personal devices to access stuff like our corporate OneDrive, Outlook and various other web apps. As a test, I created the following conditional access policy as shown below and applied it to User1. However, this user is still able to access Outlook web and OneDrive and all O365 web apps from his iPhone and personal laptop. What am I missing? **

Conditional Access policy settings**

Assignment
Users - Specific Users included:

  • User1

Target resource:

  • Office 365
  • Office 365 Exchange Online
  • Office 365 SharePoint Online

Conditions
Device platforms:

  • iOS
  • Android
  • Windows

Locations:

  • Any network or location

Filter for devices:
Include filtered devices in policy

  • Device ownership = Personal

Access controls

  • Block access
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,690 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Crystal-MSFT 45,896 Reputation points Microsoft Vendor
    2024-07-02T05:35:57.3366667+00:00

    @Matthew Seah, Thanks for posting in Q&A. Please also ensure the client app under conditions are also set with "Browser".

    User's image

    https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions#client-apps

    And the policy is on.

    User's image

    If it is still not working, please look through the sign in log to see if the conditional access policy is applied.

    https://learn.microsoft.com/en-us/entra/identity/monitoring-health/how-to-view-applied-conditional-access-policies

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.