Access Policy in CAS

%3CLINGO-SUB%20id%3D%22lingo-sub-473172%22%20slang%3D%22en-US%22%3EAccess%20Policy%20in%20CAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-473172%22%20slang%3D%22en-US%22%3E%3CP%3EHola%20Everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20you%20are%20doing%20well.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20set%20conditional%20access%20and%20CAS%20access%20policy%20to%20block%20access%20to%20Outlook%20Fat%20Client.%20I%20configure%20this%20block%20in%20CAS%20and%20nothing%20happens.%20Do%20I%20have%20to%20configure%20something%20in%20Azure%20AD%20in%20the%20Conditional%20Access%20policy%3F%20Or%20is%20it%20redundant%2C%20meaning%20I%20should%20only%20configure%20on%20one%20side%20and%20not%20the%20other.%3C%2FP%3E%3CP%3ENote%20that%20I%20already%20have%20a%20session%20policy%20for%20custom%20policy%20in%20Azure%20AD%20set%20up.%3C%2FP%3E%3CP%3ELet%20me%20know%20your%20thoughts.%20Thank%20you.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-473172%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-480110%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20Policy%20in%20CAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-480110%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F257155%22%20target%3D%22_blank%22%3E%40myacaman%3C%2FA%3E%26nbsp%3Bhi%20there!%26nbsp%3B%20Can%20you%20send%20what%20your%20current%20conditional%20access%20policy%20looks%20like%3F%26nbsp%3B%20In%20Azure%20AD%20to%20block%20desktop%20clients%20there%20is%20a%20setting%20for%20that-%20have%20you%20tried%20this%20out%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-480640%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20Policy%20in%20CAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-480640%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F257155%22%20target%3D%22_blank%22%3E%40myacaman%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20the%20same%20issue.%20I%20tried%20to%20configure%20Access%20policy%20to%20block%20Exchange%20Online%20access%20from%20non%20compliant%20devices.%20It%20works%20on%20Windows%2010%20native%20mail%20client%20but%20not%20in%20Outlook%20from%20Office%202016.%20I%20also%20included%20browser%20access%20to%20the%20rule%20and%20I%20get%20the%20same%20behavior.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20appreciate%20if%20someone%20could%26nbsp%3B%20update%20why%20Outlook%20does%20not%20seem%20to%20obey%20the%20policy%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20attached%20an%20image%20showing%20what%20I%20get%20on%20Windows%2010%20native%20mail%20client%20(On%20this%20client%20it%20success)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-480659%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20Policy%20in%20CAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-480659%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F300114%22%20target%3D%22_blank%22%3E%40JavierCaro%3C%2FA%3E%26nbsp%3BHi%20Javier%2C%20what%20is%20your%20policy%20set%20up%20like%3F%26nbsp%3B%20Can%20you%20send%20a%20screen%20shot%20of%20the%20blades%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-480732%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20Policy%20in%20CAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-480732%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F185103%22%20target%3D%22_blank%22%3E%40Ethan%20Stern%3C%2FA%3E%26nbsp%3Bthank%20you%20for%20getting%20back%20to%20me.%3C%2FP%3E%3CP%3ESo%20I%20have%20played%20with%20all%20settings.%20When%20I%20configure%20to%20block%20from%20Azure%20AD%20it%20works%20under%20Access%20Controls.%20But%20when%20I%20leave%20without%20any%20access%20control%20grants%20as%20the%20screenshot%20attached%20and%20configure%20it%20is%20CAS%20(as%20the%20other%20screenshot%20attached)%2C%20it%20will%20not%20do%20the%20block.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELet%20me%20know%20if%20you%20need%20any%20more%20screenshots%20from%20me%20to%20further%20troubleshoot.%3C%2FP%3E%3CP%3EThank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-480734%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20Policy%20in%20CAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-480734%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F185103%22%20target%3D%22_blank%22%3E%40Ethan%20Stern%3C%2FA%3E%26nbsp%3Bsee%20other%20screenshot%20of%20Azure%20AD.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-480742%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20Policy%20in%20CAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-480742%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F185103%22%20target%3D%22_blank%22%3E%40Ethan%20Stern%3C%2FA%3E%26nbsp%3B%20Hi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20attached%20an%20image%20of%20my%20two%20policies%20(AD%20and%20MCAS).%26nbsp%3B%20MCAS%20policy%20Works%20on%20Windows%2010%20native%20mail%20client%20but%20not%20in%20Outlook%20from%20Office%202016.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-480771%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20Policy%20in%20CAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-480771%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F300114%22%20target%3D%22_blank%22%3E%40JavierCaro%3C%2FA%3E%26nbsp%3BI%20have%20the%20same%20configuration%20as%20you%20in%20CAS%20and%20Azure%20AD%20and%20I%20do%20not%20seem%20to%20be%20able%20to%20block%20access%20from%20Outlook%20fat%20client%2C%20unless%20I%20configure%20the%20block%20in%20Azure%20AD.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-480775%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20Policy%20in%20CAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-480775%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20is%20right.%20That's%20what%20I%20meant%20with%20my%20post.%20MCAS%20can%20block%20access%20from%20any%20other%20client%20(native%20clients%20such%20as%20Windows%2010)%20except%20Microsoft%20Outlook.%20I%20would%20think%20that%20it%20might%20be%20related%20to%20the%20new%20MAPI%20%2F%20HTTPS%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F257155%22%20target%3D%22_blank%22%3E%40myacaman%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hola Everyone,

 

I hope you are doing well. 

I am trying to set conditional access and CAS access policy to block access to Outlook Fat Client. I configure this block in CAS and nothing happens. Do I have to configure something in Azure AD in the Conditional Access policy? Or is it redundant, meaning I should only configure on one side and not the other.

Note that I already have a session policy for custom policy in Azure AD set up.

Let me know your thoughts. Thank you.

 

 

8 Replies
Highlighted

@myacaman hi there!  Can you send what your current conditional access policy looks like?  In Azure AD to block desktop clients there is a setting for that- have you tried this out?  

 

 

Highlighted

@myacaman 

 

I have the same issue. I tried to configure Access policy to block Exchange Online access from non compliant devices. It works on Windows 10 native mail client but not in Outlook from Office 2016. I also included browser access to the rule and I get the same behavior.

 

I appreciate if someone could  update why Outlook does not seem to obey the policy

 

I attached an image showing what I get on Windows 10 native mail client (On this client it success)

 

Regards.

Highlighted

@JavierCaro Hi Javier, what is your policy set up like?  Can you send a screen shot of the blades?

Highlighted

@Ethan Stern thank you for getting back to me.

So I have played with all settings. When I configure to block from Azure AD it works under Access Controls. But when I leave without any access control grants as the screenshot attached and configure it is CAS (as the other screenshot attached), it will not do the block.

 

Let me know if you need any more screenshots from me to further troubleshoot.

Thank you.

Highlighted

@Ethan Stern see other screenshot of Azure AD.

Highlighted

@Ethan Stern  Hi

 

I attached an image of my two policies (AD and MCAS).  MCAS policy Works on Windows 10 native mail client but not in Outlook from Office 2016. 

 

Regards.

Highlighted

@JavierCaro I have the same configuration as you in CAS and Azure AD and I do not seem to be able to block access from Outlook fat client, unless I configure the block in Azure AD.

Highlighted

It is right. That's what I meant with my post. MCAS can block access from any other client (native clients such as Windows 10) except Microsoft Outlook. I would think that it might be related to the new MAPI / HTTPS 

@myacaman