Conditional Access to deny /block access to exchange online from windows and mac devices

In this blog post, we will see how to use conditional access to deny/block access to Office 365 Exchange Online (emails) from windows devices and mac devices .

conditional access allow access to company data only for authenticated users from compliant devices (If you apply conditional access to list of users ,device must enroll before they check for device compliance) from approved apps under the right conditions. More information about conditional access read from Technet https://docs.microsoft.com/en-us/intune/conditional-access

To block access to o365 exchange online (not for exchange on-prem) from windows and mac devices using mobile apps and desktop apps like outlook or other apps ,we need to create condition access policy with assignments and access controls.

to start with ,go to https://portal.azure.com ,click on Intune  on the right side, click on Conditional access.

image

Click on Policies ,create New policy

SNAGHTML2c2ab2d2

Give the policy Name ,on the assignments ,click users and groups ,choose select users and groups ,on the right side ,you can choose users or groups or you can choose all users ,click  Done

SNAGHTML2c3fa8f3

On the cloud apps, select the apps (in this case , office 365 exchange online) ,client done

image

On the conditions ,select device platforms ,choose windows and macOS (preview)  ,client done

image

On the  client apps ,choose mobile apps and desktop clients (since we have chosen only windows and mac, this will apply to desktop clients and no mobile apps) .

SNAGHTML2ce127e6

Click on access controls ,Grant ,Choose Block to deny access to exchange online if users connect from desktop clients using windows and mac (as per the above setting)

 

image

Click on Enable policy to save the changes and enable the policy

image

End user experience:

If user is trying to access access exchange online using native app (that comes with windows 10 by default or desktop clients) from windows or mac device for emails ,they will straight away hit following error message which is coming from conditional access.

SNAGHTML2cb5327f

 

Hope it helps!

References :

Conditional access https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access

Protect access to email, Office 365, and other services with Microsoft Intune https://docs.microsoft.com/en-us/intune-classic/deploy-use/restrict-access-to-email-and-o365-services-with-microsoft-intune

Leave a Reply