Block Microsoft 365 apps using Conditional Access

I received a recent requirement to block access to all Microsoft 365 applications, such as Exchange Online, SharePoint Online, OneDrive, Microsoft Teams, and Microsoft Forms etc.

We need to block these apps on specific devices and not all devices. Therefore, we would be utilizing a Conditional Access policy and use Device filters.

Those devices follow a specific naming convention, such as having Win10 in their names. This will make it easier to create a policy and apply a filter based on the naming convention.

Create an Entra Conditional Access (CA) Policy

  • Sign in to the Entra admin center.
  • Search for Microsoft Entra Conditional Access and click on Create new policy to create a new CA policy.
Create a New Conditional Access Policy
  • When you select Create a new policy, you must configure the policy using the following settings. I’ll provide the options you need to configure, while the remaining settings should be set to not configured.
  • Provide a Name to the CA policy. For example, Block Office365 apps on Developer Devices.

Users

  • Users: Select All Users under Include.

Target resources

  • Select apps under Include

Choose all the apps you wish to block, such as Office 365 Exchange Online, Office 365 SharePoint Online, Office 365 Yammer, Microsoft Teams, etc. Alternatively, you can add Office 365 App to block all Office 365 applications. The provided screenshot illustrates adding individual apps that I wanted to block.

Select Office 365 apps to block
Select Office 365 apps to block

Conditions

  • Device Platforms: Toggle the Configure switch to Yes and click on Select device platforms. Select Windows.
Select Windows devices under Device platforms
Select Windows devices under Device platforms

Client Apps

  • Toggle the Configure switch to Yes, then Select Browser, Mobile Apps, and Desktop Clients.
Apply to Browser and Mobile apps and desktop clients
Apply to Browser and Mobile apps and desktop clients

Client Apps

  • Click on Filter for devices and toggle the Configure switch to Yes.
  • Select Include filtered devices in the policy.

To filter the devices and apply this policy only to machines with Win10 in their name, create a rule using the query: device.displayName -contains ‘Win10‘. This way, the policy will specifically target devices with Win10 in their display name.

Conditional Access policy filter will only target devices which contains Win10 in their name
The conditional Access policy filter will only target devices that contain Win10 in their name

Access Controls

Grant

Under the Grant access control configuration, select Block access to prevent access to Office 365 from the machines. Since the policy has been applied to all users, anyone using machines with Win10 in their name will be blocked from accessing any Office 365 apps included in this CA policy.

Block O365 Access to all users where device name contains "*Win10*"
Block O365 Access to all users where device name contains Win10

End-user Experience

Now, let’s test our policy on one of my test machines, which has Win10 in its name. The computer is named AdeleV-Win10, Office 365 Apps should be blocked on this PC due to the CA policy we configured earlier.

Below is the screenshot from my test PC.

Verify Conditional Access policy
Verify the Conditional Access policy

Test 1: Access to Microsoft Teams App

The error message displayed when attempting to access the Microsoft Teams app results from the Conditional Access Policy we recently implemented.

sign-in was successful but does not meet the criteria
sign-in was successful but does not meet the criteria

Test 2: Access to Microsoft Exchange Online Web App

Outlook on the web is also blocked. When we tried to access it, it resulted in below error message:

Your sign-in was successful but does not meet the criteria for accessing this resource. For example, you might be signing in from a browser, app, or location restricted by your admin.

sign-in was successful but does not meet the criteria
sign-in was successful but does not meet the criteria

Conclusion

In summary, Conditional Access is a powerful tool for enhancing the security of your Microsoft 365 and Azure environment. Device filters allow you to fine-tune policies to specific device types, and various other conditions and filters are available to ensure policies are precisely targeted. In this blog post, we learned how to block access to Office 365 apps from specific devices using a Conditional Access policy.

Leave a Comment