I received a recent requirement to block access to all Microsoft 365 applications, such as Exchange Online, SharePoint Online, OneDrive, Microsoft Teams, and Microsoft Forms etc.
We need to block these apps on specific devices and not all devices. Therefore, we would be utilizing a Conditional Access policy and use Device filters.
Those devices follow a specific naming convention, such as having Win10 in their names. This will make it easier to create a policy and apply a filter based on the naming convention.
Create an Entra Conditional Access (CA) Policy
- Sign in to the Entra admin center.
- Search for Microsoft Entra Conditional Access and click on Create new policy to create a new CA policy.
- When you select Create a new policy, you must configure the policy using the following settings. I’ll provide the options you need to configure, while the remaining settings should be set to not configured.
- Provide a Name to the CA policy. For example, Block Office365 apps on Developer Devices.
Users
- Users: Select All Users under Include.
Target resources
- Select apps under Include
Choose all the apps you wish to block, such as Office 365 Exchange Online, Office 365 SharePoint Online, Office 365 Yammer, Microsoft Teams, etc. Alternatively, you can add Office 365 App to block all Office 365 applications. The provided screenshot illustrates adding individual apps that I wanted to block.
Conditions
- Device Platforms: Toggle the Configure switch to Yes and click on Select device platforms. Select Windows.
Client Apps
- Toggle the Configure switch to Yes, then Select Browser, Mobile Apps, and Desktop Clients.
Client Apps
- Click on Filter for devices and toggle the Configure switch to Yes.
- Select Include filtered devices in the policy.
To filter the devices and apply this policy only to machines with Win10 in their name, create a rule using the query: device.displayName -contains ‘Win10‘. This way, the policy will specifically target devices with Win10 in their display name.
Access Controls
Grant
Under the Grant access control configuration, select Block access to prevent access to Office 365 from the machines. Since the policy has been applied to all users, anyone using machines with Win10 in their name will be blocked from accessing any Office 365 apps included in this CA policy.
End-user Experience
Now, let’s test our policy on one of my test machines, which has Win10 in its name. The computer is named AdeleV-Win10, Office 365 Apps should be blocked on this PC due to the CA policy we configured earlier.
Below is the screenshot from my test PC.
Test 1: Access to Microsoft Teams App
The error message displayed when attempting to access the Microsoft Teams app results from the Conditional Access Policy we recently implemented.
Test 2: Access to Microsoft Exchange Online Web App
Outlook on the web is also blocked. When we tried to access it, it resulted in below error message:
Your sign-in was successful but does not meet the criteria for accessing this resource. For example, you might be signing in from a browser, app, or location restricted by your admin.
Conclusion
In summary, Conditional Access is a powerful tool for enhancing the security of your Microsoft 365 and Azure environment. Device filters allow you to fine-tune policies to specific device types, and various other conditions and filters are available to ensure policies are precisely targeted. In this blog post, we learned how to block access to Office 365 apps from specific devices using a Conditional Access policy.
