Forum Discussion
JuanRojasCampos
Oct 03, 2024Copper Contributor
Blocking Personal Outlook and Gmail Accounts on Corporate Device
Hello Community,
In my organization, we use the Microsoft 365 environment. We have a hybrid infrastructure, but we aim to deploy as many policies as possible through Microsoft 365 (Intune, Purview, Defender, etc.). One of our goals is to limit the use of corporate devices for personal purposes.
We use Outlook as our corporate email service, and we would like to block employees from signing into their personal email accounts (either via web or desktop application).
Additionally, we would like to block access to other email services, such as Gmail, both via web and desktop apps.
Could you provide guidance on how to achieve this?
I would greatly appreciate any help or suggestions.
Thank you very much!
Juan Rojas
- vicwingsingBrass Contributor
Hi Juan,
You can do this in many ways, here's how I would do it:
- Conditional Access policies through Microsoft Entra can block personal email services. https://learn.microsoft.com/fi-fi/appcenter/general/configuring-aad-conditional-access
- Another way is using Defender for Cloud apps to basically do the same. You create an access policy where if users try to access sites such as gmail.com > then block: https://learn.microsoft.com/en-us/defender-cloud-apps/control-cloud-apps-with-policies
- Lastly, you can use Purview DLP and Endpoint DLP. Create a policy so that when a user attempts to go to site such as gmail.com and tries to upload data > the policy kicks-in and blocks them: https://learn.microsoft.com/en-us/purview/endpoint-dlp-using?tabs=purview
- mitrastoremdmCopper Contributor
I am not sure how either of the above solutions will block access to Hotmail or Outlook.com
- Conditional Access Policy - May I know what conditions will you use to block personal email using Conditional Access policy?
- What App will you use for Hotmail or Outlook.com in your Access policy?
- Please if you can tell me the configuration for DLP or Purview Policy?
- vicwingsingBrass Contributor
In Entra, you use the Web Content filtering policy (see below) > You will need to create a new policy (my demo account does not have it) this is the guide: https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-configure-web-content-filtering
Then you can add the domains that you'd like to block within the rules.
For Microsoft Purview, it's more of blocking sensitive data from being uploaded/ used in specific cloud domains, think of it as an extra measure to ensure that your users will not be able to upload to Hotmail or Gmail. https://learn.microsoft.com/en-us/purview/endpoint-dlp-using?tabs=purview#scenario-3-modify-the-existing-policy-block-the-action-with-allow-override