Forum Discussion
Allow Teams Desktop App on non compliant devices with no download but block everything else
For ease of joining meetings and the fact that Teams does not sync any data locally, I would like a way to only allow MS Teams desktop App on non-compliant devices/personal devices (with no option to download) but block all other 365 desktop apps.
What I've already tried:
- For non-compliant workstations, block M365 desktop apps but only allow their corresponding M365 web apps with no option to download any files - This works fine in all the apps (conditional access with an MCAS policy); Outlook on the web, Teams Web, SharePoint online, OneDrive online.
- For non-compliant workstations, conditional access policy to targeting all cloud apps (or Office 365) exclude MS Teams, conditions are as follows: Client apps: desktops and mobile clients, device platform: Windows and Mac OS. Grant: allow but require device to be compliant. The result of this is MS Teams gets blocked by this conditional access (CA) policy non compliant devices eventhough it's been excluded from the conditional access policy. I read that it's because of SharePoint and Exchange.
How can I get #2 to work? please help
Hello, not sure what your end goal is here really. But how about just adding an application enforced restriction for unmanaged devices? (target O365 apps suite).
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-session#application-enforced-restrictions*edit* The above article text isn't updated, but the pictures are so you'll see that Office 365 is supported too.
Perhaps not what you're looking for. But it's difficult to prevent in this way as the Teams service and app dependencies are all over the place really.
