Conditional Access to deny /block access to exchange online from windows and mac devices

In this blog post, we will see how to use conditional access to deny/block access to Office 365 Exchange Online (emails) from windows devices and mac devices .

conditional access allow access to company data only for authenticated users from compliant devices (If you apply conditional access to list of users ,device must enroll before they check for device compliance) from approved apps under the right conditions. More information about conditional access read from Technet

To block access to o365 exchange online (not for exchange on-prem) from windows and mac devices using mobile apps and desktop apps like outlook or other apps ,we need to create condition access policy with assignments and access controls.

to start with ,go to ,click on Intune  on the right side, click on Conditional access.


Click on Policies ,create New policy


Give the policy Name ,on the assignments ,click users and groups ,choose select users and groups ,on the right side ,you can choose users or groups or you can choose all users ,click  Done


On the cloud apps, select the apps (in this case , office 365 exchange online) ,client done


On the conditions ,select device platforms ,choose windows and macOS (preview)  ,client done


On the  client apps ,choose mobile apps and desktop clients (since we have chosen only windows and mac, this will apply to desktop clients and no mobile apps) .


Click on access controls ,Grant ,Choose Block to deny access to exchange online if users connect from desktop clients using windows and mac (as per the above setting)



Click on Enable policy to save the changes and enable the policy


End user experience:

If user is trying to access access exchange online using native app (that comes with windows 10 by default or desktop clients) from windows or mac device for emails ,they will straight away hit following error message which is coming from conditional access.



Hope it helps!

References :

Conditional access

Protect access to email, Office 365, and other services with Microsoft Intune

4 Responses to "Conditional Access to deny /block access to exchange online from windows and mac devices"

  1. Eduardo Recuero García · Edit

    I'm testing around this scenary.
    Firstly I blocked totally access to Exchange Online.
    It seem works. If I try to setup an Outlook client from PC or Android phone it's not possible.
    However, if mailbox is already configured, it continue send and receive mails.
    How is possible?
    How can I force to close the session already open?

    Thank you.


Leave a Reply