Conditional Access Question

Cochran, Joel 106 Reputation points
2021-03-01T20:12:13.623+00:00

We let SharePoint auto-create the policy "Block Access from Apps on Unmanaged Devices" which essentially does the following:

  • Users and Groups = All Users (except Global Admins)
  • Cloud apps or Actions = Office 365 SharePoint Online
  • Conditions - Client Apps = Mobile apps and desktop clients
  • Access Controls = Require either Hybrid Azure Joined or compliant

Someone attempted to sign into Outlook (for Android) on their tablet, and it was prompting them to install the Company Portal app. I thought it would only trigger if they were attempting to access OneDrive FB or SharePoint via an app? Turning it to Report-Only resolved for now as we're just in testing phase.

There is a separate cloud app for Exchange Online, so I thought the SharePoint app would only apply to SPO and ODfB. Any ideas?

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,059 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,436 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,171 questions
{count} votes

Accepted answer
  1. ChelseaWu-MSFT 6,316 Reputation points
    2021-03-02T04:58:11.22+00:00

    Conditional Access policy is not set directly on a client (public/native) application, but is applied when a client calls a service, quoting the document here: Conditional Access: Cloud apps or actions.

    The policy blocks user access whenever the client/app is calling SharePoint or OneDrive, while Outlook mobile app uses OneDrive for storage purpose. That is why Outlook mobile app is not excluded from this policy and asks for enrollment on non-compliant devices.


    If an Answer is helpful, please click "Accept Answer" and upvote it.
    **Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. **

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Michal Barták 231 Reputation points
    2021-03-01T21:37:28.843+00:00

    Hello,

    when you add your account to Outlook on Android, it automatically adds OneDrive for Business as well. And since the URL is basically on Sharepoint, then I assume this is what is happening?

    0 comments No comments