Block Office 365 apps on specific devices using Azure AD Conditional Access

I recently got a requirement where all the office 365 applications for example, Exchange Online / Outlook Client Email Access, Sharepoint Online, One Drive, Microsoft Teams, Microsoft Forms etc. both Online and Installed application access should be blocked from specific devices which were being used by few developers in the IT department. As these were development machines, there is no requirement to use office 365 applications.

One more thing to note that the developer devices are having a specific naming convention for example Win10 in their name. Therefore, we will see how we can create a Conditional Access (CA) Policy and target it to these type of devices. Conditional Access Policy can be applied to Devices based on the Filter which is available under Conditions of any CA policy.

Create a Azure AD Conditonal Access (CA) Policy

  • Login on Microsoft Azure Portal (
  • Search for Azure AD Conditional Access and then click on New policy to create a new CA policy.
Azure AD Conditonal Access Policy New Policy

Once you click on Create new policy, you will need to configure the policy as per below. I am only providing the options which you need to configure in the policy, rest of the settings will be set to not configured.

Users or workload Identities

Name: Block Office365 apps on Developer Devices

Users or workload identities: All Users

Cloud apps or actions

Include: Select apps

Select all the apps which you want to block for example Office 365 Exchange online, Office 365 Sharepoint Online, Office 365 Yammer, Microsoft Teams etc. You could also directly just add Office 365 which will block all office365 applications. Below screenshot is for adding apps individually which i wanted to block.

Azure AD Conditonal Access Policy Settings


Device Platforms: As I know that the all devices which i want to block are windows based devices, therefore, Include only Windows from the list of devices.

Azure AD Conditonal Access Policy Settings

Client Apps: Select Yes and then Select Browser and Mobile apps and desktop Clients.

Azure AD Conditonal Access Policy Settings

Filter for devices: Configure a filter to apply policy to specific devices.

Configure: Yes

Select Include filtered devices in policy

Create a rule to filter the devices for example I want to apply this policy only from the machines which contain Win10 in their name. Therefore, the query which I will be use is device.displayName -contains “Win10”

Azure AD Conditonal Access Policy Settings

Access Controls


For Grant access control configuration, select Block access to block office365 access from the the machines. As we had applied the policy to all users so effectively if anyone uses the machines which contain Win10 in their name and tries to access any Office365 apps (included in this CA policy), they will be blocked and apps will not be accessible via Web browser or via Thick client / Installed App.

Azure AD Conditonal Access Policy Settings Grant Control

Policy Testing

Lets test our policy from one of my test machines which contains Win10 in the name the name of the computer is AdeleV-Win10 therefore, I should not be allowed access to any Office365 app from this PC.

Below is the screenshot from my test PC.

Azure AD Conditonal Access Policy Settings Policy Testing

Test 1: Access to Microsoft Teams App

Below error message is displayed when I tried to access Microsoft Teams App. This is because of the conditional Access Policy we just created.

Azure AD Conditonal Access Policy Settings Policy Testing

Test 2: Access to Microsoft Exchange Online Web App

Access to Outlook Online version has been blocked as well with the error message:

Your sign-in was successful but does not meet the criteria to access this resource. For example, you might be signing in from a browser, app, or location that is restricted by your admin.

Azure AD Conditonal Access Policy Settings Policy Testing


To conclude this blog post, I would like to say that Conditional Access is really powerful tool to secure your Microsoft 365 and Azure environment. Using device filters we can narrow down the policy to specific device types and there are various other conditions and filters which you can create to make sure that the policy is targetting to the right systems. In this blog post, we saw how to block Office 365 apps from specific devices using Conditional Access policy.