Mar 30 2020
- last edited on
Jul 24 2020
To access O365 apps like Outlook, Teams, OneDrive, SPO we require an enrolled and compliant Windows or iOS device. All external clients are Azure AD joined and Intune enrolled.
Now, we want to do an exception for Outlook web access. All computers (web browsers) should be able to access OWA from a non-enrolled computer with MFA. Restrictions for read-only according to the article Conditional Access in Outlook on the web for Exchange Online will be applied to prevent data leakage (but not yet configured)
It's not working as we want, we believe it used to work... If we except O365 Exchange Online App in our Desktop Conditional Forward, Web Access is indeed accessible as we want. But, then you can also use a mail client on a non-enrolled Windows 10 to access e-mail.- Only web access should be allowed unless you have an aad-joined and enrolled computer.
How do I fix this issue?
Conditional Access Rule
All users targeted (O365 emergency admin account excluded)
All Apps targeted (O365 Exchange Online excluded)
May 16 2020 03:49 PM - edited May 16 2020 03:49 PM
May you want to try to build 2 conditional access policies:
1. for OWA (Browser) and maybe you will also have to add mobile apps and desktop clients - grant access with MFA or compliant device (require one of the selected controls)
2. block access for everything else exept OWA (Browser) and desktop clients
Hope I could help you.