Forum Discussion
Allow MS Teams via Conditional Access but block other O365 Services
Thank you very much for this detailed response. This is exactly what we are bumping into also. We have folks using Teams (as expected) - on many different devices but we obviously do not want to grant EXO access to any device - thus we are stuck with the CAR stuff which is a major shortcoming. We are exploring using a solution from Palo Alto - Prisma VPN - to insure that our fleet of "compliant / trusted" devices can have secure access to EXO from anywhere.. This feels beyond ridiculous but not sure we have any other options. Again - thank you for taking the time to detail a great response here.
This did not work. It appears there may be issues with applications being blocked that cannot be bypassed in the CA policy. I have a ticket escalated with MS support, and I will update as soon as we have a resolution.
Any luck with this?
I have found the best way to get this to work is by creating a trusted Named location with the public IPs for whatever locations you want to whitelist. In your Conditional Access policy, Conditions > Locations > Exclude add you Named location to Selected network and locations. I did try to use Filter for devices and used device IDs for that, but had intermittent issues with that method and decided to just allow devices from our corporate network which is really locked down.