Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Block Access from private Devices to Microsoft Apps.

Copper Contributor

Hello,

i got a question:

We are planning to Buy Microsoft 365 Business Premium and Microsoft 365 Business Standard + Intune Device License.

My problem is that our Company doesn´t want to have Access to Mail/Onedrive/Microsoft Applications ... on private Devices.
How can i block the Access? The Devices will be Managed by Intune, Win10 Pro, IOS and maybe some Samsung Galaxy´s.

Is There an option to only allow managed devises to Access Microsoft Data? And Do i need some additional Lisense?

 

Best Regards,

 

Phil

 

 

4 Replies

@RauschNauti Hi, as far as I understand from the service description for M365 Business Premium you should be all set with the licenses (CA and Intune). There are a lot of experts in the community on MDM/MAM so you'll probably get additional answers but yes, you can achieve what you want. I'd like to direct you to the docs for guidance so maybe start here?

 

https://docs.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune

 

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/require-managed-devices

@ChristianBergstrom 

Hi and Thanks, 

 

i think i can block the access to Cloud apps. But can i also block the Access on iOS Mail-App or installed Outlook Client on a PC, which is not registered in Intune/Azre?

 

Best Regards :)

@RauschNauti Hello! As mentioned I usually don't configure these settings, but see the tutorial and the other link for step-by-step guidance.

 

"Learn about using app protection policies with Conditional Access to protect Exchange Online, even when devices aren't enrolled in a device management solution like Intune."

https://docs.microsoft.com/en-us/mem/intune/protect/tutorial-protect-email-on-unmanaged-devices

 

'Block all email apps except Outlook for iOS and Android using conditional access'

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-... 

 

There are a couple of different approaches as you will see.

Hi @RauschNauti,

As mentioned in this thread, the easiest way to block access is to use Conditional Access. Set a rule for Office 365 and set the grant condition to "require the device to be marked as compliant", an un-managed device will never be compliant. 

If you want to ensure that your users are only using approved apps, consider adding the "Require approved client app" to your grant policy as well (only applies to iOS and Android).

Think this link has already been shared, but I'll add it anyways. Conditional Access require managed device - Azure Active Directory | Microsoft Docs

 

This goes without saying, but test on a small scale before deploying company-wide. :)

 

You will need Azure Active Directory Premium P1 or P2 to use Conditional Access.