Share via

Azure Conditional Access -- Office365 Apps

Jacob Schwartz 1 Reputation point
2021-11-03T17:27:48.243+00:00

I am trying to set up some Conditional Access policies that will allow non-compliant devices to access Office365 services in-browser, while also being able to use the Office suite on their device -- with the exception of adding a corporate email account to Outlook/Teams/OneDrive. Compliant devices should be able to use either browser or desktop apps, as well as adding their corporate email account to Outlook/Teams/OneDrive.

I attempted setting a policy that includes Office365 Exchange Online, and excludes Office365 but it appears Office365 contains Office365 Exchange Online and is taking precedence in the policy.

Is it possible to achieve the above scenario with basic Conditional Access policies?

The end goal is to prevent non-compliant devices from storing their mailbox data locally.

Thanks

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jamie Sabbatella 646 Reputation points
    2021-11-03T23:55:27.427+00:00

    Hi,

    I think you can achieve this by setting conditions, I have some screen shots below.

    The policy excludes browsers in "client apps" but has "require device to be marked as compliant" in the Grant tab

    So the browser should bypass the rule checking for a non-compliant device.

    146392-screenshot-2021-11-03-235139.png

    146336-screenshot-2021-11-03-235215.png

    Kind Regards,

    Jamie Sabbatella

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.