Block all 365 apps except Outlook via CA

Hi underQualifried, to block all 365 apps except Outlook on BYOD devices, you’ll likely need a combination of Conditional Access (CA) policies and App Protection Policies (APP). In the new resource-based CA setup, create a policy targeting all cloud apps and then exclude Exchange Online. Then, enforce APP on mobile devices to restrict access to only Outlook. Make sure the policy applies to the correct device platforms and user groups. This approach effectively blocks other 365 apps while allowing email on unmanaged devices.

The new resource-based condition is still maturing and doesn’t yet offer a simple way to include everything except Exchange. The easiest approach is to stick with the existing **Cloud apps** condition for this scenario. You can create a conditional access policy that targets your BYOD user/device group, include **All cloud apps**, then under *Exclude* add **Office 365 Exchange Online**. Set the policy to *Block* and it will block access to all Microsoft 365 services except Exchange/Outlook.

If you want to scope this to unmanaged devices only, use the **Device state** or **Filter for devices** condition to include only devices that are not compliant or hybrid joined. App Protection Policies will help protect data but won’t stop sign-in to other apps. Until the resource model supports more granular filters, the legacy cloud app exclusions are still the recommended way to allow Outlook while blocking the rest.