Conditional Access rule for Outlook Web exception

%3CLINGO-SUB%20id%3D%22lingo-sub-1396014%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20rule%20for%20Outlook%20Web%20exception%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1396014%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3EMay%20you%20want%20to%20try%20to%20build%202%20conditional%20access%20policies%3A%3CBR%20%2F%3E1.%20for%20OWA%20(Browser)%20and%20maybe%20you%20will%20also%20have%20to%20add%20mobile%20apps%20and%20desktop%20clients%20-%20grant%20access%20with%20MFA%20or%20compliant%20device%20(require%20one%20of%20the%20selected%20controls)%3CBR%20%2F%3E2.%20block%20access%20for%20everything%20else%20exept%20OWA%20(Browser)%20and%20desktop%20clients%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20I%20could%20help%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1265172%22%20slang%3D%22en-US%22%3EConditional%20Access%20rule%20for%20Outlook%20Web%20exception%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1265172%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20access%20O365%20apps%20like%20Outlook%2C%20Teams%2C%20OneDrive%2C%20SPO%20we%20require%20an%20enrolled%20and%20compliant%26nbsp%3B%20Windows%20or%20iOS%20device.%20All%20external%20clients%20are%20Azure%20AD%20joined%20and%20Intune%20enrolled.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%2C%20we%20want%20to%20do%20an%20exception%20for%20Outlook%20web%20access.%20All%20computers%20(web%20browsers)%20should%20be%20able%20to%20access%20OWA%20from%20a%20non-enrolled%20computer%20with%20MFA.%20Restrictions%20for%20read-only%20according%20to%20the%20article%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Foutlook-blog%2Fconditional-access-in-outlook-on-the-web-for-exchange-online%2Fba-p%2F267069%22%20target%3D%22_blank%22%3EConditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FA%3E%26nbsp%3Bwill%20be%20applied%20to%20prevent%20data%20leakage%20(but%20not%20yet%20configured)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20not%20working%20as%20we%20want%2C%20we%20believe%20it%20used%20to%20work...%20If%20we%20except%20O365%20Exchange%20Online%20App%20in%20our%20Desktop%20Conditional%20Forward%2C%20Web%20Access%20is%20indeed%20accessible%20as%20we%20want.%20But%2C%20then%20you%20can%20also%20use%20a%20mail%20client%20on%20a%20non-enrolled%20Windows%2010%20to%20access%20e-mail.-%20Only%20web%20access%20should%20be%20allowed%20unless%20you%20have%20an%20aad-joined%20and%20enrolled%20computer.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20do%20I%20fix%20this%20issue%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%2FB%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EConditional%20Access%20Rule%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20users%20targeted%20(O365%20emergency%20admin%20account%20excluded)%3C%2FP%3E%3CP%3EAll%20Apps%20targeted%20(O365%20Exchange%20Online%20excluded)%3C%2FP%3E%3CP%3EClient%20Apps%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ca-clientapps.png%22%20style%3D%22width%3A%20200px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F180622i3ED8561159C6A603%2Fimage-size%2Fsmall%3Fv%3D1.0%26amp%3Bpx%3D200%22%20role%3D%22button%22%20title%3D%22ca-clientapps.png%22%20alt%3D%22ca-clientapps.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGrant%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ca-grant.png%22%20style%3D%22width%3A%20281px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F180623iA88C9E782686EF86%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22ca-grant.png%22%20alt%3D%22ca-grant.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1265172%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConditional%20access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Contributor

Hi,

 

To access O365 apps like Outlook, Teams, OneDrive, SPO we require an enrolled and compliant  Windows or iOS device. All external clients are Azure AD joined and Intune enrolled. 

 

Now, we want to do an exception for Outlook web access. All computers (web browsers) should be able to access OWA from a non-enrolled computer with MFA. Restrictions for read-only according to the article Conditional Access in Outlook on the web for Exchange Online will be applied to prevent data leakage (but not yet configured)

 

It's not working as we want, we believe it used to work... If we except O365 Exchange Online App in our Desktop Conditional Forward, Web Access is indeed accessible as we want. But, then you can also use a mail client on a non-enrolled Windows 10 to access e-mail.- Only web access should be allowed unless you have an aad-joined and enrolled computer. 

 

How do I fix this issue?

 

Thanks

/B

 

 

 

Conditional Access Rule

 

All users targeted (O365 emergency admin account excluded)

All Apps targeted (O365 Exchange Online excluded)

Client Apps

ca-clientapps.png

 

Grant

ca-grant.png

 

 

 

 

 

 

1 Reply

Hi,
May you want to try to build 2 conditional access policies:
1. for OWA (Browser) and maybe you will also have to add mobile apps and desktop clients - grant access with MFA or compliant device (require one of the selected controls)
2. block access for everything else exept OWA (Browser) and desktop clients

Hope I could help you.