Forum Discussion

RauschNauti's avatar
RauschNauti
Copper Contributor
Sep 07, 2020

Block Access from private Devices to Microsoft Apps.

Hello,

i got a question:

We are planning to Buy Microsoft 365 Business Premium and Microsoft 365 Business Standard + Intune Device License.

My problem is that our Company doesn´t want to have Access to Mail/Onedrive/Microsoft Applications ... on private Devices.
How can i block the Access? The Devices will be Managed by Intune, Win10 Pro, IOS and maybe some Samsung Galaxy´s.

Is There an option to only allow managed devises to Access Microsoft Data? And Do i need some additional Lisense?

 

Best Regards,

 

Phil

 

 

Conditional Access
microsoft 365
microsoft intune

4 Replies

  • olastrom's avatar
    olastrom
    Brass Contributor
    Sep 21, 2020

    Hi RauschNauti,

    As mentioned in this thread, the easiest way to block access is to use Conditional Access. Set a rule for Office 365 and set the grant condition to "require the device to be marked as compliant", an un-managed device will never be compliant. 

    If you want to ensure that your users are only using approved apps, consider adding the "Require approved client app" to your grant policy as well (only applies to iOS and Android).

    Think this link has already been shared, but I'll add it anyways. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/require-managed-devices

     

    This goes without saying, but test on a small scale before deploying company-wide. 🙂

     

    You will need Azure Active Directory Premium P1 or P2 to use Conditional Access.

  • ChristianBergstrom's avatar
    ChristianBergstrom
    Silver Contributor
    Sep 07, 2020

    RauschNauti Hi, as far as I understand from the service description for M365 Business Premium you should be all set with the licenses (CA and Intune). There are a lot of experts in the community on MDM/MAM so you'll probably get additional answers but yes, you can achieve what you want. I'd like to direct you to the docs for guidance so maybe start here?

     

    https://docs.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune

     

    https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/require-managed-devices

    • RauschNauti's avatar
      RauschNauti
      Copper Contributor
      Sep 17, 2020

      ChristianBergstrom 

      Hi and Thanks, 

       

      i think i can block the access to Cloud apps. But can i also block the Access on iOS Mail-App or installed Outlook Client on a PC, which is not registered in Intune/Azre?

       

      Best Regards 🙂

      • ChristianBergstrom's avatar
        ChristianBergstrom
        Silver Contributor
        Sep 17, 2020

        RauschNauti Hello! As mentioned I usually don't configure these settings, but see the tutorial and the other link for step-by-step guidance.

         

        "Learn about using app protection policies with Conditional Access to protect Exchange Online, even when devices aren't enrolled in a device management solution like Intune."

        https://docs.microsoft.com/en-us/mem/intune/protect/tutorial-protect-email-on-unmanaged-devices

         

        'Block all email apps except Outlook for iOS and Android using conditional access'

        https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/secure-outlook-for-ios-and-android#block-all-email-apps-except-outlook-for-ios-and-android-using-conditional-access 

         

        There are a couple of different approaches as you will see.

Resources