Forum Discussion
JuanRojasCampos
Oct 03, 2024Copper Contributor
Blocking Personal Outlook and Gmail Accounts on Corporate Device
Hello Community,
In my organization, we use the Microsoft 365 environment. We have a hybrid infrastructure, but we aim to deploy as many policies as possible through Microsoft 365 (Intune, Purview, Defender, etc.). One of our goals is to limit the use of corporate devices for personal purposes.
We use Outlook as our corporate email service, and we would like to block employees from signing into their personal email accounts (either via web or desktop application).
Additionally, we would like to block access to other email services, such as Gmail, both via web and desktop apps.
Could you provide guidance on how to achieve this?
I would greatly appreciate any help or suggestions.
Thank you very much!
Juan Rojas
- yhlCopper Contributor
Hi Juan,
Using Defenders for Cloud Apps will give you ability to block "apps" or essentially websites. This is done through cloud app catalog, and you can choose to make that app is blocked.
Or, if you want to do so manually, you can use Defender for Endpoints, setup web content filtering policies. This is essentially what Defender for Cloud Apps does too for you except that they have collected all the necessary URL to be blocked instead of you tries to find it one by one.
I implemented this for our corporate device we blocked any sites or services that could be used for data exfil. Of course, this isn't the only place we put in control to prevent data leakage and as other mentioned - DLP is also used, network firewall is also used among others.
Good luck with your implementation.
- shashankmCopper Contributor
Is there a way to exclude certain users or devices? Some users need access to Gmail for testing purposes, but I haven’t been able to implement this policy successfully. I tried using a CA policy, but it doesn’t seem to work for some reason.
- yhlCopper Contributor
Yes, you need to first setup device groups under defender portal > setting > endpoints.
Then setup app scoped profiles under defender portal > setting > cloud apps > app tags > scoped profiles
in scoped profile, you basically pick which device group goes into which scoped profile. you will need to design it a bit; but my experience is that more profile/group you create the higher chance that it will become messy so try to limit within 3 main groups (all unblocked, some blocked, all blocked).
once that is setup, you will be able to select which app is blocked using the scoped profile instead of blocked for all devices
by default, there is already 1 scoped profile that is every device.
- vicwingsingIron Contributor
Hi Juan,
You can do this in many ways, here's how I would do it:
- Conditional Access policies through Microsoft Entra can block personal email services. https://learn.microsoft.com/fi-fi/appcenter/general/configuring-aad-conditional-access
- Another way is using Defender for Cloud apps to basically do the same. You create an access policy where if users try to access sites such as gmail.com > then block: https://learn.microsoft.com/en-us/defender-cloud-apps/control-cloud-apps-with-policies
- Lastly, you can use Purview DLP and Endpoint DLP. Create a policy so that when a user attempts to go to site such as gmail.com and tries to upload data > the policy kicks-in and blocks them: https://learn.microsoft.com/en-us/purview/endpoint-dlp-using?tabs=purview
- mitrastoremdmCopper Contributor
I am not sure how either of the above solutions will block access to Hotmail or Outlook.com
- Conditional Access Policy - May I know what conditions will you use to block personal email using Conditional Access policy?
- What App will you use for Hotmail or Outlook.com in your Access policy?
- Please if you can tell me the configuration for DLP or Purview Policy?
- vicwingsingIron Contributor
In Entra, you use the Web Content filtering policy (see below) > You will need to create a new policy (my demo account does not have it) this is the guide: https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-configure-web-content-filtering
Then you can add the domains that you'd like to block within the rules.
For Microsoft Purview, it's more of blocking sensitive data from being uploaded/ used in specific cloud domains, think of it as an extra measure to ensure that your users will not be able to upload to Hotmail or Gmail. https://learn.microsoft.com/en-us/purview/endpoint-dlp-using?tabs=purview#scenario-3-modify-the-existing-policy-block-the-action-with-allow-override