Forum Discussion

shocko's avatar
shocko
Iron Contributor
Aug 07, 2021
Solved

Allow MS Teams via Conditional Access but block other O365 Services

I have been asked to see if the following is possible:   Allow access to MS teams from anywhere for Voice/Video (we disable chat, file sharing via policy in the MS Teams admin portal) Block acces...
Administrator
How-to
microsoft teams
Settings
  • swindisch's avatar
    swindisch
    Mar 27, 2024

    Thank you very much for this detailed response.  This is exactly what we are bumping into also.  We have folks using Teams (as expected) - on many different devices but we obviously do not want to grant EXO access to any device - thus we are stuck with the CAR stuff which is a major shortcoming.   We are exploring using a solution from Palo Alto - Prisma VPN - to insure that our fleet of "compliant / trusted" devices can have secure access to EXO from anywhere..  This feels beyond ridiculous but not sure we have any other options.  Again - thank you for taking the time to detail a great response here.

     

swindisch's avatar
swindisch
Copper Contributor
Mar 25, 2024
We are chasing the same issue. Did this work for you - allow Teams everywhere - but block EXO on non-trusted devices?
CyberChicken's avatar
CyberChicken
Copper Contributor
Mar 25, 2024

swindisch 

 

This did not work. It appears there may be issues with applications being blocked that cannot be bypassed in the CA policy. I have a ticket escalated with MS support, and I will update as soon as we have a resolution.

  • badcom's avatar
    badcom
    Copper Contributor
    Dec 07, 2024

    Any luck with this?

    • CyberChicken's avatar
      CyberChicken
      Copper Contributor
      Dec 10, 2024

      I have found the best way to get this to work is by creating a trusted Named location with the public IPs for whatever locations you want to whitelist. In your Conditional Access policy, Conditions > Locations > Exclude add you Named location to Selected network and locations. I did try to use Filter for devices and used device IDs for that, but had intermittent issues with that method and decided to just allow devices from our corporate network which is really locked down.

  • CyberChicken's avatar
    CyberChicken
    Copper Contributor
    Mar 26, 2024
    This is the answer I recieved from MS, but I told them where they could stick it and asked for an actual solution to this problem. I will let you know when I hear back.

    OK, I got a response from them, they told me exactly what I told you, it is expected for Teams to request a token from Graph and as a client, the application will only request the token for the service not allowing us to exclude it from this requests.

    MS Graph can only be excluded with Application Filters but this will affect other apps that request access to MS Graph, and practically everything that needs to evaluate user information from Entra will use Graph.
    They have seen many cases attempting this but it cannot be completely isolated, the option that was given before, was to block O365 and exclude the dependencies, and block any other needed application.

    The issue with an “All Apps” Conditional Access is that it will not be based on the applications but in the base of the Entra Service, so it blocks literally everything, so the usage is more recommended for blocking types if devices, authentication protocols, locations, etc. but not for isolating applications and less client applications that cannot be targeted.

    I asked for another service or option, as this option is not what we were looking, and they told me that there is none, access to the applications can be blocked per app but general blockages most be done with Conditional Access, as they are our general authentication policies.
    Practically right now we are limited, and more if its with Teams, because according to what they told me, the reason it has to many dependencies is because its constantly updated with features that depend on other services, so we might block everything and exclude the dependencies and in the future they might be a new feature that will add a new dependency blocking the application based on the policy.

    Best Regards

    XXXXXXXX
    Support Engineer | Azure Identity POD Support


    • swindisch's avatar
      swindisch
      Copper Contributor
      Mar 27, 2024

      Thank you very much for this detailed response.  This is exactly what we are bumping into also.  We have folks using Teams (as expected) - on many different devices but we obviously do not want to grant EXO access to any device - thus we are stuck with the CAR stuff which is a major shortcoming.   We are exploring using a solution from Palo Alto - Prisma VPN - to insure that our fleet of "compliant / trusted" devices can have secure access to EXO from anywhere..  This feels beyond ridiculous but not sure we have any other options.  Again - thank you for taking the time to detail a great response here.

       

      • CyberChicken's avatar
        CyberChicken
        Copper Contributor
        Mar 27, 2024
        Ok, so I have not gotten another response from MS yet, but I did find this video that appears to be the answer. I have changed some configuration, but I have not tested yet. I am going to attempt to add a Condition, Filter for Device, and add exceptions for all of the registered Android devices. You may need to add them to all of the unsupported CA policies that may conflict with Android and Intune. It is all outlined in the video, though.

        https://www.youtube.com/watch?v=uTQR_YuWZag

Resources