I recently worked on requirement to create conditional access that will block access to office365 via browser app on intune enrolled device . We are still Hybrid Azure AD join and yet to be Azure AD join.
we have BYOD windows 10 intune enrolled devices and we have decided to block browser based sessions on these enrolled devices using conditional access for the apps like onedrive,exchange online,teams,Sharepoint etc.
In order to block browser session on Intune enrolled devices ,I will be using device state in conditional access which is still in preview for almost year .
To read more about What are conditions in Azure Active Directory conditional access https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditions
1. Login to Azure portal with an account that has enough rights to create Conditional Access https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies
2.Give it name Block_browser_BYODW10 ,select users/groups that you want to apply this policy
3. Cloud apps or actions and select the apps that you want block.
4. On conditions , Device platforms , configure ‘ Yes’ and under platform ,select windows
For locations ,I choose any .
5. Client apps (preview) ,configure ‘Yes’ and select Browser.
This setting help to monitor the any session that are coming from browser and block the access.
Browser apps - Browser apps include websites using the SAML, WS-Federation, or OpenID Connect web SSO protocols. This also applies to any website or web service that has been registered as an OAuth confidential client. For example, the Office 365 SharePoint website.
6.Device State (preview) ,we choose all device state and in the exclude ,choose hybrid Azure AD joined devices.
This setting will help us to exclude all Hybrid Azure AD join devices and include all other device state.
If you select ‘device marked complaint’ then intune enrolled windows 10 devices are compliant hence they will be able to access apps via browser so we don't select this.
If you have devices which are Azure AD join then this setting apply to them as well , so be cautious with this setting.
How do you differentiate Intune enrolled devices (BYOD) and Azure AD joined devices (+intune) with this setting? There is None at the moment .
This policy block access to all device state except hybrid Azure AD Join. Since we are still hybrid Azure AD join, this is perfect match for us at this point of time.
7.Now we have come to final setting which is access control ,choose Block access.
With this ,we have completed the Conditional access to block browser app from intune enrolled devices for selected applications.
we will now see the end-user experience on devices that are intune enrolled or any other device state which is not hybrid azure AD join:
On intune enrolled windows 10 device ,login to https://portal.office.com .It works because we blocked only set of applications but not all cloud apps.
Click on teams icon ,you will see the following message.
You cannot access this right now.
The same happens to all other applications that are included in the conditional access however ,if you access teams,outlook via non-browser which is app based, it works fine,
Hope it is useful