Conditional Access Question

Question

Conditional Access Question

Cochran, Joel 106

We let SharePoint auto-create the policy "Block Access from Apps on Unmanaged Devices" which essentially does the following:

Users and Groups = All Users (except Global Admins)
Cloud apps or Actions = Office 365 SharePoint Online
Conditions - Client Apps = Mobile apps and desktop clients
Access Controls = Require either Hybrid Azure Joined or compliant

Someone attempted to sign into Outlook (for Android) on their tablet, and it was prompting them to install the Company Portal app. I thought it would only trigger if they were attempting to access OneDrive FB or SharePoint via an app? Turning it to Report-Only resolved for now as we're just in testing phase.

There is a separate cloud app for Exchange Online, so I thought the SharePoint app would only apply to SPO and ODfB. Any ideas?

Cochran, Joel 106 Reputation points

2021-03-03T18:56:04.417+00:00
Thanks for the info. I'm just confused about a thing or two.

When we had the policy in Report-Only, it showed that it wasn't applied as the Outlook Mobile Application was "Not Matched". As soon as we turned it on, it started matching Outlook Mobile Application. Didn't really make sense to me.

Why is Exchange using SharePoint data? We only setup people here with Exchange and disable SharePoint Online access. Everything still works fine. In fact, if we attempt to sign them into OneDrive (after granting them that service license), it has to be setup the first time. Seems like if they didn't have access to SP then their email wouldn't work at all.

Again...I might be comparing apples and oranges here, or just be totally off the mark.
Chelsea Wu 6,346 Reputation points Moderator

2021-03-04T02:57:56.737+00:00
To answer your questions:

According to the document: What is Conditional Access report-only mode?
Report-only mode is used to evaluate the impact of Conditional Access policies before enabling them in their environment and is not applicable for Conditional Access policies with "User Actions" scope.
Policies in report-only are evaluated but not enforced during sign-in, which is possibly why it matches more applications after being enabled.

Exchange is not using SharePoint data, but storing data in the linked OneDrive/SharePoint account. It does not matter if you have a OneDrive account connected in Outlook, it is covered by the policy soon as the client/app calls the service.

Answer accepted by question author

1 additional answer

Your answer

Cochran, Joel 106 Reputation points

2021-03-03T18:56:04.417+00:00

Thanks for the info. I'm just confused about a thing or two.

When we had the policy in Report-Only, it showed that it wasn't applied as the Outlook Mobile Application was "Not Matched". As soon as we turned it on, it started matching Outlook Mobile Application. Didn't really make sense to me.

Why is Exchange using SharePoint data? We only setup people here with Exchange and disable SharePoint Online access. Everything still works fine. In fact, if we attempt to sign them into OneDrive (after granting them that service license), it has to be setup the first time. Seems like if they didn't have access to SP then their email wouldn't work at all.

Again...I might be comparing apples and oranges here, or just be totally off the mark.
Chelsea Wu 6,346 Reputation points Moderator

2021-03-04T02:57:56.737+00:00

To answer your questions:

According to the document: What is Conditional Access report-only mode?
Report-only mode is used to evaluate the impact of Conditional Access policies before enabling them in their environment and is not applicable for Conditional Access policies with "User Actions" scope.
Policies in report-only are evaluated but not enforced during sign-in, which is possibly why it matches more applications after being enabled.

Exchange is not using SharePoint data, but storing data in the linked OneDrive/SharePoint account. It does not matter if you have a OneDrive account connected in Outlook, it is covered by the policy soon as the client/app calls the service.

Answer 1

Conditional Access policy is not set directly on a client (public/native) application, but is applied when a client calls a service, quoting the document here: Conditional Access: Cloud apps or actions.

The policy blocks user access whenever the client/app is calling SharePoint or OneDrive, while Outlook mobile app uses OneDrive for storage purpose. That is why Outlook mobile app is not excluded from this policy and asks for enrollment on non-compliant devices.

If an Answer is helpful, please click "Accept Answer" and upvote it.
**Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. **

Answer 2

Michal Barták 236

Hello,

when you add your account to Outlook on Android, it automatically adds OneDrive for Business as well. And since the URL is basically on Sharepoint, then I assume this is what is happening?

Share via

Conditional Access Question

1 additional answer

Your answer