Close Menu
    Facebook X (Twitter) Instagram
    Tuesday, May 20
    X (Twitter) LinkedIn
    All about Endpoint Management
    • Home
    All about Endpoint Management
    Home»Intune»Azure Active Directory»Conditional access to block browser session for intune MDM enrolled devices

    Conditional access to block browser session for intune MDM enrolled devices

    Eswar KonetiBy Eswar KonetiMay 15, 2:07 pm3 Mins Read Azure Active Directory 4,852 Views
    Share
    Facebook Twitter LinkedIn Reddit

    I recently worked on requirement to create conditional access that will block access to office365 via browser app on intune enrolled device . We are still Hybrid Azure AD join and yet to be Azure AD join.

    we have BYOD windows 10 intune enrolled devices and we have decided to block browser based sessions on these enrolled devices using conditional access for the apps like onedrive,exchange online,teams,Sharepoint etc.

    In order to block browser session on Intune enrolled devices ,I will be using device state in conditional access which is still in preview for almost year .

    To read more about  What are conditions in Azure Active Directory conditional access  https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditions 

    1. Login to Azure portal with an account that has enough rights to create Conditional Access https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies

    2.Give it name Block_browser_BYODW10 ,select users/groups that you want to apply this policy

    image

    3. Cloud apps or actions and select the apps that you want block.

    image

    4. On conditions , Device platforms , configure ‘ Yes’ and under platform ,select windows

    For locations ,I choose any .

    image

    5. Client apps (preview) ,configure ‘Yes’ and select Browser.

    This setting help to monitor the any session that are coming from browser and block the access.

    Browser apps - Browser apps include websites using the SAML, WS-Federation, or OpenID Connect web SSO protocols. This also applies to any website or web service that has been registered as an OAuth confidential client. For example, the Office 365 SharePoint website.

    image

    6.Device State (preview) ,we choose all device state and in the exclude ,choose hybrid Azure AD joined devices.

    image

    Exclude:

    image

    This setting will help us to exclude all Hybrid Azure AD join devices and include all other device state.

    If you select ‘device marked complaint’ then intune enrolled windows 10 devices are compliant hence they will be able to access apps via browser so we don't select this.

    If you have devices which are Azure AD join then this setting apply to them as well , so be cautious with this setting.

    How do you differentiate Intune enrolled devices (BYOD) and Azure AD joined devices (+intune) with this setting? There is None at the moment .

    This policy block access to all device state except hybrid Azure AD Join. Since we are still hybrid Azure AD join, this is perfect match for us at this point of time.

    7.Now we have come to final setting which is access control ,choose Block access.

    image

    With this ,we have completed the Conditional access to block browser app from intune enrolled devices for selected applications.

    we will now see the end-user experience on devices that are intune enrolled or any other device state which is not hybrid azure AD join:

    On intune enrolled windows 10 device ,login to https://portal.office.com .It works because we blocked only set of applications but not all cloud apps.

    clip_image002

    Click on teams icon ,you will see the following message.

    You cannot access this right now.

    clip_image002[5]

    The same happens to all other applications that are included in the conditional access however ,if you access teams,outlook via non-browser which is app based, it works fine,

    Hope it is useful

    Azure AD conditional access block browser access CA conditional access device state intune enrollment office365 sign-in was successful you cannnot access this right now
    Share. Twitter LinkedIn Email Facebook Reddit

    Related Posts

    Optimize Your Intune Workflow with a Powerful Browser Extension

    March 22, 10:39 am

    Troubleshooting Windows Hello for Business PIN Reset Issues – Something went wrong

    March 06, 9:48 pm

    Migrate Microsoft 365 Updates from SCCM/MECM to Intune for Co-Managed Devices

    February 11, 9:50 pm

    Leave a ReplyCancel reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Sign Up

    Get email notifications for new posts.

    Author

    I’m Eswar Koneti ,a tech enthusiast, security advocate, and your guide to Microsoft Intune and Modern Device Management. My goal? To turn complex tech into actionable insights for a streamlined management experience. Let’s navigate this journey together!

    Support

    Awards

    Archives

    © Copyright 2009-2024 Eswar Koneti, All rights reserved.

    Type above and press Enter to search. Press Esc to cancel.