Conditional Access control

%3CLINGO-SUB%20id%3D%22lingo-sub-1647173%22%20slang%3D%22en-US%22%3EConditional%20Access%20control%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1647173%22%20slang%3D%22en-US%22%3E%3CP%3Eis%20it%20possible%20to%20apply%20conditional%20access%20control%20on%20a%20device%20with%20one%20drive%20app%3F%26nbsp%3B%20if%20a%20user%20is%20using%20one%20drive%20app%20and%20the%20device%20is%20not%20managed%2C%20block%20downloads.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1647173%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApp%20Connectors%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1647211%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20control%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1647211%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F779916%22%20target%3D%22_blank%22%3E%40esnecho991%3C%2FA%3E%26nbsp%3BYou%20need%20to%20apply%20app%20protection%20policies%20with%20condition%20access%20to%20enable%20DLP%20in%20unmanaged%20devices.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fapps%2Fapp-protection-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fapps%2Fapp-protection-policy%3C%2FA%3E%3C%2FP%3E%3CH1%20id%3D%22toc-hId-527534536%22%20id%3D%22toc-hId-527534536%22%20id%3D%22toc-hId-527534536%22%20id%3D%22toc-hId-527534536%22%20id%3D%22toc-hId-527534536%22%20id%3D%22toc-hId-527534536%22%3E%26nbsp%3B%3C%2FH1%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1651880%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20control%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1651880%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F274269%22%20target%3D%22_blank%22%3E%40Swaminathan_Arumugam%3C%2FA%3E%26nbsp%3Bthat%20requires%20intunes%20on%20my%20devices.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ehow%20about%20my%20user's%20laptop%20and%20mobile%20pads.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1651941%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20control%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1651941%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F779916%22%20target%3D%22_blank%22%3E%40esnecho991%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20need%20EMS%20E3%20or%20M365%20F3%20lic%20to%20apply%20app%20protection%20policy%20using%20Intune.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

is it possible to apply conditional access control on a device with one drive app?  if a user is using one drive app and the device is not managed, block downloads. 

6 Replies

@esnecho991 You need to apply app protection policies with condition access to enable DLP in unmanaged devices.

 

https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy

 

@Swaminathan_Arumugam that requires intunes on my devices. 

 

how about my user's laptop and mobile pads. 

@esnecho991 

 

You need EMS E3 or M365 F3 lic to apply app protection policy using Intune.

@Swaminathan_Arumugam  thanks.  is there any limitation on the platform where intunes can installed ? 

We have servers, Desktop, and Linux machines. how to address that? 

@esnecho991 To achieve this you need to implement CASB

@esnecho991 

Are the other devices in your environment hybrid azure ad joined? If you have it, you can create a conditional access rule "Block Unmanaged Device File Downloads".

 

Users and groups: All users

Cloud App: Office 365 SharePoint Online
Conditions:
- Client Apps: Mobile Apps and desktop clients
- Device state: Configure YES, Include: All device state, Exclude: Device Hybrid Azure AD joined
Access Controls: Block Access