I recently got a requirement where all the office 365 applications for example, Exchange Online / Outlook Client Email Access, Sharepoint Online, One Drive, Microsoft Teams, Microsoft Forms etc. both Online and Installed application access should be blocked from specific devices which were being used by few developers in the IT department. As these were development machines, there is no requirement to use office 365 applications.
One more thing to note that the developer devices are having a specific naming convention for example Win10 in their name. Therefore, we will see how we can create a Conditional Access (CA) Policy and target it to these type of devices. Conditional Access Policy can be applied to Devices based on the Filter which is available under Conditions of any CA policy.
Create a Azure AD Conditonal Access (CA) Policy
- Login on Microsoft Azure Portal (https://portal.azure.com).
- Search for Azure AD Conditional Access and then click on New policy to create a new CA policy.
Once you click on Create new policy, you will need to configure the policy as per below. I am only providing the options which you need to configure in the policy, rest of the settings will be set to not configured.
Users or workload Identities
Name: Block Office365 apps on Developer Devices
Users or workload identities: All Users
Cloud apps or actions
Include: Select apps
Select all the apps which you want to block for example Office 365 Exchange online, Office 365 Sharepoint Online, Office 365 Yammer, Microsoft Teams etc. You could also directly just add Office 365 which will block all office365 applications. Below screenshot is for adding apps individually which i wanted to block.
Device Platforms: As I know that the all devices which i want to block are windows based devices, therefore, Include only Windows from the list of devices.
Client Apps: Select Yes and then Select Browser and Mobile apps and desktop Clients.
Filter for devices: Configure a filter to apply policy to specific devices.
Select Include filtered devices in policy
Create a rule to filter the devices for example I want to apply this policy only from the machines which contain Win10 in their name. Therefore, the query which I will be use is device.displayName -contains “Win10”
For Grant access control configuration, select Block access to block office365 access from the the machines. As we had applied the policy to all users so effectively if anyone uses the machines which contain Win10 in their name and tries to access any Office365 apps (included in this CA policy), they will be blocked and apps will not be accessible via Web browser or via Thick client / Installed App.
Lets test our policy from one of my test machines which contains Win10 in the name the name of the computer is AdeleV-Win10 therefore, I should not be allowed access to any Office365 app from this PC.
Below is the screenshot from my test PC.
Test 1: Access to Microsoft Teams App
Below error message is displayed when I tried to access Microsoft Teams App. This is because of the conditional Access Policy we just created.
Test 2: Access to Microsoft Exchange Online Web App
Access to Outlook Online version has been blocked as well with the error message:
Your sign-in was successful but does not meet the criteria to access this resource. For example, you might be signing in from a browser, app, or location that is restricted by your admin.
To conclude this blog post, I would like to say that Conditional Access is really powerful tool to secure your Microsoft 365 and Azure environment. Using device filters we can narrow down the policy to specific device types and there are various other conditions and filters which you can create to make sure that the policy is targetting to the right systems. In this blog post, we saw how to block Office 365 apps from specific devices using Conditional Access policy.