Forum Discussion

MarkusDi's avatar
MarkusDi
Brass Contributor
Feb 16, 2021

Block Outlook-Client on unmanaged Win10

Hi All,

 

my customer wants to block the Outlook-Client on unmanaged Win10-Devices (private PCs), but Teams-Client should work.

I´ve done some testing with Conditional Access, MCAS and App-Protection-Policies. But either Outlook-Client AND Teams-Client were blocked or only Teams-Client blocked and with Outlook-Client I got a connection to EXO.

Only Browser is not an option for my customer.

 

Any Ideas about this question?

 

Regards,

Markus

  • MarkusDi's avatar
    MarkusDi
    Feb 22, 2021

    now we use Windows Virtual Desktop and block private devices completly.

     

    Thanks for your help.

     

    Best regards,

    Markus

  • Hello MarkusDi 

     

    I recommend that you use a Conditional Access policy and set it up to block non-compliant and non-Hybrid Azure AD joined devices. Please note that you would need an Exchange Online authentication policy to strictly forbid legacy authentication apps to connect. Legacy Authentication does not care for Conditional Access policies. Disable Basic authentication in Exchange Online | Microsoft Docs

     

     

    //Nicklas Ahlberg

     

    https://www.nicklasahlberg.se 

     

    • MarkusDi's avatar
      MarkusDi
      Brass Contributor

      Hello NicklasAhlberg 

      this Policy would block unmanaged devices completly.

      But they should be able to use Teams-Client on unmanged devices. "only" the use of outlook-client should be restricted...

       

      Regards,

      Markus

      • NicklasAhlberg's avatar
        NicklasAhlberg
        Brass Contributor

        MarkusDi 

         

        You could try to just block Exchange Online app but I am sure it will probably interfere with some Teams, OneDrive and SPO functionality. In this case I would use MAM to deploy an MS Edge policy. 

         

  • MukeshKT's avatar
    MukeshKT
    Copper Contributor

    MarkusDi  Is there a way to get a report for access to EXO using Outlook (or Other Rich Client) from Non-Managed Devices.

    • MarkusDi's avatar
      MarkusDi
      Brass Contributor

      MukeshKT you can use AAD Sign In Logs for more information. If you redirect these logs zu Log-Analytics you can then use KQL for manual generate a report and / or to generate an alert rule.