How to restrict to access to o365 from unsupported OS like Ubuntu ,CentOS using Conditional Access

 

If you are using o365 services ,you might hit requirement to block unsupported OS (Ubuntu,CentOS etc) accessing o365 resources . There are couple of ways that you can restrict unsupported using Azure Active Directory Conditional Access.

The only devices that are supported at the moment are iOS,Android,Mac and Windows. You can control these supported devices to protect the data without being leaked with combination of conditional access and intune ,however these unsupported OS cannot be managed hence you must block them to access o365 resources. For more information about conditional access ,have provided the links in reference section at the end of this post.

For this requirement, we can use conditional access to block all supported OS but exclude the supported OS.

If you are doing enrollment of devices (MDM for iOS,Android,windows (WIP) and Mac ) ,you can create Conditional access policy with selection of compliant and hybrid Azure AD Joined as shown below ,hence you don’t need to create restrict policy for other OS, but if you are using MAM-WE (without enrollment of devices) ,you need to create conditional policy which we are going to see now.

The below settings will help you to block access .If user is trying to access the o365 resources ,they must qualify one of the control that we selected .Ubuntu,CentOS and other unsupported OS cannot be compliant or hybrid azure AD join for now..

Access control—>Grant .

image

if no enrollment of devices (MAM-WE) ,then follow the below steps to block unsupported OS. For the supported OS to allow MAM-WE, you go as per your org policies.

1. Login to Azure Portal ,go to Intune blade (https://portal.azure.com/#blade/Microsoft_Intune_DeviceSettings/ExtensionLandingBlade/overview)

2.Click on Conditional Access,Policies ,New policy (https://portal.azure.com/#blade/Microsoft_Intune_DeviceSettings/ExchangeConnectorMenu/aad/connectorType/2)

3. Give it a name something like Global-Block-UnSuppOS-AllApps

4. Assignments ,include All Users

SNAGHTML4ef56a1

5. Cloud Apps ,include All cloud Apps

image

6.Conditions ,Device Platforms ,configure to Yes ,include all platforms (including unsupported)

image

7.While on same page ,click on Exclude and select supported OS that you have currently

image

8. Click on Done, Done

9.Access Control ,Grant ,select Block ,click on select

image

10. select Enable policy to ‘Yes’

image

11.Finally click on Save to apply the settings to all  users with block action.

 

References:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-faqs

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-best-practices

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-technical-reference

 

Leave a Reply