Create Conditional Access Policy

%3CLINGO-SUB%20id%3D%22lingo-sub-3298040%22%20slang%3D%22es-ES%22%3ECreate%20Conditional%20Access%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3298040%22%20slang%3D%22es-ES%22%3E%3CP%3EHi%20Team.%20I%20have%20a%20doubt%2C%20I%20have%20assign%20MFA%20for%20Outlook%20and%20Teams%20clients%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20Conditional%20Access%20policy%2C%20Conditions%20-%20Device%20platforms%20-%20Select%20Windows.%3C%2FP%3E%3CP%3EIn%20Client%20Apps%20select%20Mobile%20apps%20and%20desktop%20clients.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20option%2C%20apply%20for%20Outlook%20and%20Teams%20clients%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOr%20exist%20other%20option%20for%20configure%20MFA%20in%20this%20clients%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3298040%22%20slang%3D%22es-ES%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3298487%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20Conditional%20Access%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3298487%22%20slang%3D%22en-US%22%3EHi.%20It%20sounds%20about%20right.%20Is%20the%20CA%20policy%20not%20working%20for%20you%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3299470%22%20slang%3D%22es-ES%22%3ERe%3A%20Create%20Conditional%20Access%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3299470%22%20slang%3D%22es-ES%22%3EIt%20only%20works%20in%20Teams%20client.%20In%20Outlook%20client%20not%20working.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3299488%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20Conditional%20Access%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3299488%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F317797%22%20target%3D%22_blank%22%3E%40CarlosMorales%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20what%20I%20would%20do.%20Make%20sure%20you%20use%20Modern%20authentication.%3C%2FP%3E%3CP%3EThis%20is%20not%20ideal%20situation%20with%20Exchange%20Online%20App%2C%20but%20adding%20Device%20platfrom%20-%20Windows%2C%20Client%20apps%20-%20Mobile%20apps%20and%20Desktop%20clients%20plus%20enabling%20Modern%20authentication%20is%20the%20closest%20you%20can%20get.%3C%2FP%3E%3CP%3EI%20just%20tested%20in%20my%20environment%20and%20it%20will%20require%20MFA%20for%20Outlook%20client%20on%20Windows%20(if%20modern%20enabled)%2C%20it%20does%20not%20ask%20you%20for%20MFA%20on%20other%20devices.%20It%20will%20not%20require%20MFA%20in%20browsers.%26nbsp%3B%3C%2FP%3E%3CP%3EGood%20luck%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Adin_Calkic_0-1651336437953.png%22%20style%3D%22width%3A%20652px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F368218i8A7D64C5619732A6%2Fimage-dimensions%2F652x491%3Fv%3Dv2%22%20width%3D%22652%22%20height%3D%22491%22%20role%3D%22button%22%20title%3D%22Adin_Calkic_0-1651336437953.png%22%20alt%3D%22Adin_Calkic_0-1651336437953.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Adin_Calkic_1-1651336445474.png%22%20style%3D%22width%3A%20648px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F368219i16A2E8AA618CB76B%2Fimage-dimensions%2F648x290%3Fv%3Dv2%22%20width%3D%22648%22%20height%3D%22290%22%20role%3D%22button%22%20title%3D%22Adin_Calkic_1-1651336445474.png%22%20alt%3D%22Adin_Calkic_1-1651336445474.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Adin_Calkic_2-1651336451555.png%22%20style%3D%22width%3A%20654px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F368220i81CEF252CE2B26C5%2Fimage-dimensions%2F654x273%3Fv%3Dv2%22%20width%3D%22654%22%20height%3D%22273%22%20role%3D%22button%22%20title%3D%22Adin_Calkic_2-1651336451555.png%22%20alt%3D%22Adin_Calkic_2-1651336451555.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Adin_Calkic_3-1651336483130.png%22%20style%3D%22width%3A%20404px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F368221iB8B81C7645193324%2Fimage-dimensions%2F404x878%3Fv%3Dv2%22%20width%3D%22404%22%20height%3D%22878%22%20role%3D%22button%22%20title%3D%22Adin_Calkic_3-1651336483130.png%22%20alt%3D%22Adin_Calkic_3-1651336483130.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20see%20below%2C%20testing%20environment%20with%20the%20policy%20from%20above.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22outlook%20client%20vs%20web.gif%22%20style%3D%22width%3A%20934px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F368287iA0D91144223B1ED6%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22outlook%20client%20vs%20web.gif%22%20alt%3D%22outlook%20client%20vs%20web.gif%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3299560%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20Conditional%20Access%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3299560%22%20slang%3D%22en-US%22%3EHave%20you%20tried%20running%20your%20scenario%20against%20the%20whatif%20tool%3F%20Also%2C%20you%20can%20look%20at%20sign-in%20logs%20to%20verify%20if%20you%20have%20configured%20the%20right%20CA%20parameters%20or%20not.%3C%2FLINGO-BODY%3E
Contributor

Hi Team. I have a doubt, I have assign MFA for Outlook and Teams clients?

 

In Conditional Access policy, Conditions - Device platforms - Select Windows.

In Client Apps select Mobile apps and desktop clients.

 

This option, apply for Outlook and Teams clients?

 

Or exist other option for configure MFA in this clients?

 

Regards,

 

Thanks, 

16 Replies
Hi. It sounds about right. Is the CA policy not working for you?
It only works in Teams client. In Outlook client not working.

Hi @CarlosMorales ,

 

This is what I would do. Make sure you use Modern authentication.

This is not ideal situation with Exchange Online App, but adding Device platfrom - Windows, Client apps - Mobile apps and Desktop clients plus enabling Modern authentication is the closest you can get.

I just tested in my environment and it will require MFA for Outlook client on Windows (if modern enabled), it does not ask you for MFA on other devices. It will not require MFA in browsers. 

Good luck

 

Adin_Calkic_0-1651336437953.png

Adin_Calkic_1-1651336445474.png

Adin_Calkic_2-1651336451555.png

Adin_Calkic_3-1651336483130.png

 

Please see below, testing environment with the policy from above.

 

outlook client vs web.gif

Have you tried running your scenario against the whatif tool? Also, you can look at sign-in logs to verify if you have configured the right CA parameters or not.
Hello Carlos,
As far as I know, Office 365 Exchange Online is NOT Outlook Client.
It is related to access to Outlook via a web browser (Chrome, Edge, etc.).
https://techcommunity.microsoft.com/t5/outlook-blog/conditional-access-in-outlook-on-the-web-for-exc...

Hi @mikhailf ,

 

Thanks for the contribution. That is the main reason I excluded Browser. I just update behavior from the test environment. 

 

Adin_Calkic_0-1651401997867.png

 

So please, check the rahuljindal-MVP comment.
It makes sense to check the What If feature and Azure AD Sign-in logs.
In addition to that, have you tried to log in to Outlook web using web browser? I wonder if you get an MFA there.

Hi @mikhailf ,

see below logging into web Outlook. No MFA. 

 

Adin_Calkic_0-1651409715593.gif

 

Hi Adin. I really appreciate your answer.
I have configured the policy as you explain, the results:
Outlook web doest not request MFA.
Teams Client if you request MFA.
Outlook client does not request MFA, not working.

Thanks,

Hi @CarlosMorales ,

thanks for the reply.

 

Keep in mind that in this particular setup, you have to disable Legacy authentication and enable Modern authentication.

 

You can accomplish this by additional additional Conditional Access. see below. 

Also you can do this by disabling Basic authentication from Admin center. 

 

Adin_Calkic_0-1651422902424.png

 

Hi Mikhalif.
This is correct, with Exchange Online policy does not work. I remove Exchange Online and select Office 365 but the policy does not working with Outlook client only working with Teams Client.
Hi Mikhailf.
For test policy I add Browser in Client apps and the policy works in Outlook Web, but my request is for Outlook Client.
Hi.
For block legacy authentication select all options:
Outlook client, Exchange ActiveSync, Autodiscover, IMAP4, POP3, Authenticated SMTP and Exchange Online PowerShell?

Thanks

Hi @CarlosMorales ,

 

you can uncheck everything but I would suggest also creating a CA policy and block legacy. 

 

If you decide to uncheck from Admin portal - see below my environment. 

 

Adin_Calkic_0-1651441266916.png

 

If you decide to do CA policy, you can Assign to test user, Cloud apps to All Cloud Apps, and Conditions under Client apps set to Yes, and check both under Legacy authentication clients. Under Grant set to Block.

 

Good luck. Make sure your Outlook client is the latest version to support Modern authentication. You can read about it here - Modern Authentication configuration requirements for transition - Exchange | Microsoft Docs

 

Adin_Calkic_1-1651441356569.png

 

 

Hi @Adin_Calkic 

 

Perform both settings: block legacy authentication and create CA policy.
Cannot working MFA in Outlook Client, the client version is 2203 Build 15028.20204

 

CarlosMorales_0-1651506188629.png

 

CarlosMorales_2-1651506672668.png

 

 

Hi @CarlosMorales ,

 

check here on how to force modern authentication for Outlook client. You can set in registry. 

Modern Authentication configuration requirements for transition - Exchange | Microsoft Docs