Forum Discussion
Conditional Access - Allow only MS Teams desktop application on personal devices
Is it possible to set up conditional access policies that allow users to install and use Teams specifically on their personal devices? Currently, I'm only able to select the entire suite of Office 365 apps, which unfortunately grants access to install other applications like Outlook, OneDrive, PowerPoint, etc., and permits downloading files to the user's personal desktop.
If restricting access to only Teams is not feasible, can we at least limit the downloading of company files to personal devices, similar to the restrictions available in web applications?
- Hello kmann369,
In the conditional access policy, it's not possible to exclusively scope the Teams application due to its service dependencies. You may need to include the dependent applications or services in the conditional access policy scope.
For more information, please refer to: https://learn.microsoft.com/en-us/entra/identity/conditional-access/service-dependencies#policy-enforcement
If you need to restrict the download of sensitive information, you can utilize conditional access app control within the session policy of the conditional access policy.
Reference: https://learn.microsoft.com/en-us/defender-cloud-apps/use-case-proxy-block-session-aad.
4 Replies
- Hello kmann369,
In the conditional access policy, it's not possible to exclusively scope the Teams application due to its service dependencies. You may need to include the dependent applications or services in the conditional access policy scope.
For more information, please refer to: https://learn.microsoft.com/en-us/entra/identity/conditional-access/service-dependencies#policy-enforcement
If you need to restrict the download of sensitive information, you can utilize conditional access app control within the session policy of the conditional access policy.
Reference: https://learn.microsoft.com/en-us/defender-cloud-apps/use-case-proxy-block-session-aad. kmann369 Hello,
Your use case sounds similar to the one depicted in this guide https://learn.microsoft.com/en-us/microsoftteams/block-access-sharepoint. I assume that when you say "personal devices" you mean unmanaged devices.
If the answer is helpful, please click "Accept Answer" and kindly upvote it.
- Thanks for the reply. Yes I mean unmanaged devices. Currently we have a conditional access policy to only allow access to desktop O365 applications that are compliant and managed. I would like our users to be able to sign into the Teams desktop application on unmanaged devices but having trouble in doing so and limiting the ability to download company files to personal computers.
Were you able to allow access to Teams only?
