Forum Discussion
Allow MS Teams via Conditional Access but block other O365 Services
Thank you very much for this detailed response. This is exactly what we are bumping into also. We have folks using Teams (as expected) - on many different devices but we obviously do not want to grant EXO access to any device - thus we are stuck with the CAR stuff which is a major shortcoming. We are exploring using a solution from Palo Alto - Prisma VPN - to insure that our fleet of "compliant / trusted" devices can have secure access to EXO from anywhere.. This feels beyond ridiculous but not sure we have any other options. Again - thank you for taking the time to detail a great response here.
I believe I am working on the same issue you are, and I believe I have found the answer. After working with MS support, I was instructed to block all apps except Office 365 Exchange Onilne and Office 365 SharePoint Online. After testing with this configuration, I found that users could not sign into Teams. This prompted me to do more research, and I found an article (see link and highlighted text below) that pointed out that Skype for Business Online is also a dependency for Teams. I have added this to the conditional access policy, but I have not been able to test it yet. I will follow up and let you know once this is done.
https://learn.microsoft.com/en-us/microsoftteams/security-compliance-overview#how-conditional-access-policies-work-for-teams
How Conditional Access policies work for Teams
Microsoft Teams relies heavily on Exchange Online, SharePoint, and Skype for Business Online for core productivity scenarios, like meetings, calendars, interop chats, and file sharing. Conditional access policies that are set for these cloud apps apply to Microsoft Teams when a user directly signs in to Microsoft Teams - on any client.
Microsoft Teams is supported separately as a cloud app in Microsoft Entra Conditional Access policies. Conditional access policies that are set for the Microsoft Teams cloud app apply to Microsoft Teams when a user signs in. However, without the correct policies on other apps like Exchange Online and SharePoint, users may still be able to access those resources directly. For more information about setting up a conditional access policy in the Azure portal, see https://learn.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal-get-started.
Microsoft Teams desktop clients for Windows and Mac support modern authentication. Modern authentication brings sign-in based on the Azure Active Directory Authentication Library (ADAL) to Microsoft Office client applications across platforms.
Microsoft Teams desktop application supports AppLocker. For more information about AppLocker prerequisites, see requirements to use https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.
- We are chasing the same issue. Did this work for you - allow Teams everywhere - but block EXO on non-trusted devices?
This did not work. It appears there may be issues with applications being blocked that cannot be bypassed in the CA policy. I have a ticket escalated with MS support, and I will update as soon as we have a resolution.
Any luck with this?
