Stop m365 access from personal laptops

Brass Contributor

I want to block my users ability to access corporate outlook, excel, teams, SharePoint when they open the portal.office.com from their personal laptop. What is the method of doing this please?

7 Replies
To restrict access to corporate Microsoft Office applications like Outlook, Excel, Teams, and SharePoint when users access portal.office.com from personal laptops, you can use Conditional Access policies in Azure Active Directory. You can set up policies based on conditions such as device platform (personal laptop), location, and user group membership to control access to specific Office 365 services. This way, you can ensure that only authorized devices can access corporate resources.
Thank you Elgin, are there any prerequisites to use conditional access policies? We use SCCM and on prem joined machines but the devices where we want to restrict access will be personal laptops which we have no control on.
You're welcome! Conditional Access policies in Microsoft 365 can be powerful tools for enforcing access controls, but there are a few prerequisites and considerations to keep in mind, especially in your scenario:

1. **Azure AD Premium license**: Conditional Access policies require an Azure AD Premium P1 or P2 license for each user.

2. **Hybrid Azure AD Join**: If you're using on-premises Active Directory joined devices, ensure they are hybrid Azure AD joined. This allows you to apply conditional access policies to on-premises devices as well.

3. **Device Compliance**: To enforce conditional access based on device compliance, you'll need to use Microsoft Intune or a third-party mobile device management (MDM) solution. This allows you to ensure that devices meet certain security requirements before granting access to Microsoft 365 services.

4. **Azure AD Join**: While not applicable to your scenario with personal laptops, Azure AD join or hybrid Azure AD join provides additional device management capabilities and can be a prerequisite for certain conditional access scenarios.

In your case, since you want to restrict access from personal laptops, you won't have control over those devices. Therefore, you'll need to rely on user-based conditional access policies, such as blocking access from devices not managed by your organization.

Keep in mind that conditional access policies work best when combined with other security measures, such as multi-factor authentication (MFA) and regular security assessments. This helps to provide layered protection for your organization's resources.

@Sochito 

 

Conditional access would do

Thank you for your help Elgin. Requirement has changed a bit Today - Instead of preventing the M365 access on non corporate devices, we now want to restrict the Users from downloading and copying the content from M365 on non corporate devices. Can I still use the conditional access? If yes, is there a Microsoft document to follow for this implementation?
Thank you for your reply Kidd_Ip. Requirement has changed a bit Today - Instead of preventing the M365 access on non corporate devices, we now want to restrict the Users from downloading and copying the content from M365 on non corporate devices. Can I still use the conditional access? If yes, is there a Microsoft document to follow for this implementation?