An update to Azure AD Conditional Access for Office.com

First published on CloudBlogs on Aug, 04 2017
Howdy folks, Today I'm writing to provide some background about a change in how conditional access policies will soon be enforced when users access Office.com. Notifications about this change have been sent out, but several of you have asked for additional details.

What's changed?

On August 24 th , a change will roll out that requires users to satisfy any policies set on Exchange Online and SharePoint Online when accessing Office.com. For example, if a policy requiring multi-factor authentication (MFA) or a compliant device has been applied to SharePoint or Exchange, this policy will also apply to users signing into Office.com.


This change addresses feedback we've gotten from customers who have noticed that some features break in Office.com when a policy is applied to Exchange or SharePoint. These include searching for documents and email, loading your customizations in the app launcher, creating new documents, and viewing your calendar. These features access Exchange and SharePoint data, so they're subject to Exchange and SharePoint policies. By requiring users to satisfy these policies when they access Office.com users will have access to Exchange and SharePoint data, so these features will continue to work.

What else do I need to know?

  • Any policies that have been applied to Exchange and SharePoint browser access will apply.
  • Policies set specifically for mobile and desktop applications will be skipped since Office.com is accessed through the browser. This applies to conditional access policies set through the Azure Management Portal, the "Classic" Azure Portal, and the Intune management portal.
  • Policies set using Office 365 MDM will not apply since they are targeted for mobile apps.
  • If a policy is set for Exchange and SharePoint, both policies will take effect when Office.com is accessed.

The impact

The main impact will be to users who use Office.com but have not already satisfied SharePoint and Exchange policies. In these cases, they can take the steps to satisfy policy or, in cases in which this is not an option, where users are attempting to access Office.com to install Office applications, they can do so from https://aka.ms/office-install . Overall, we believe this will improve the end-user experience on Office.com by keeping it consistent no matter how users are accessing the page. But we want to hear directly from you about how this change has impacted your users' experience, so keep sharing your feedback with us! Best regards, Alex Simons (Twitter: @Alex_A_Simons ) Director of Program Management Microsoft Identity Division