Share via

Conditional Access Policy block unmanaged & not compliant Devices / Access Token

Daniel-9677 20 Reputation points
2025-02-14T12:27:29.6433333+00:00

Hi There ,

Im currently evaluating an Conditional Access Policy to block unmanaged and not compliant devices to Exchange Online. I' am expierencing wierd behaviour.

Status Quo:

Some Users had configured Outlook Mobile on unmanaged (private) Devices in the past.

Primary Goal:

We want to block access on those Devices .

Browser Access is OK and should not be blocked.

CA Policy: 

  • Include: "Test" Users 
  • Target Resources: 
    • Office 365 Exchange Online
  • Conditions: 
  • Client Apps: Mobile Apps and Desktop Clients 
    • Filter for Devices: 
    • Property: isCompliant 
    • Operator: Equals 
      • Value: False
  • Grant: 
    • Block 

Expectation:

As of my understanding and expectation , as soon as the Access Token get renewd , (Lifetime 60-90min) the token gets invalidated cause of the CA Policy and Access gets blocked

Tests:

The (wierd) Thing is a only see this behaviour on Windows Devices.

After some time access gets blocked. On Non-Compliant and also unmanaged Devices.

But on Android Smartphones S21 & S24FE Outlook Mobile still works and NOTHING is blocked.

As of my understanding this should not be the behaviour ?

Is there anything iam missing?

Thanks & KR

Daniel

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

Answer accepted by question author

  1. Bandela Siri Chandana 3,075 Reputation points Moderator
    2025-02-18T08:43:27.0666667+00:00

    Hello @Daniel-9677,
    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue: Conditional Access Policy block unmanaged & not compliant Devices / Access Token.

    Solution: Resolved by @Daniel-9677

    Outlook & Teams Mobile use so called "long-lived" access tokens. These tokens can be issued to applications which are CAE aware. However, these tokens can have a lifetime between 20-28h. After waiting for that time, the application gets blocked as well.

    If you don't want to or cannot wait that long you can use SignInFrequency CA Policy or Revoke Sessions for the Users.

    If you have any other questions or still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bandela Siri Chandana 3,075 Reputation points Moderator
    2025-02-18T06:07:21.6966667+00:00

    Hi @Daniel-9677
    Thank you for posting your issue on Microsoft Q&A.

    I understand that you are creating a policy to block unmanaged & non-compliant Devices.

    In the policy you created make the following changes:

    Under Conditions, select Device platforms:

    1. Set Configure to Yes.
    2. Under Devices matching the rule> Exclude filtered devices from policy >Property: isCompliant >Operator: Equals >Value: True and click on done.
    3. Under Grant select "Block".

    Now all the unmanaged & not compliant Devices are blocked.

    Hope this helps. Do let us know if you have any further queries.

    If this answers your query, do click `Accept Answer` and `Yes`.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.