Forum Discussion
Access Policies not blocking existing Office app connections
I'm testing blocking the Office apps on unmanaged devices so users cannot use them to download sensitive data. While I have had success with preventing users from licensing their Office apps or setting up OneDrive syncing, unfortunately it isn't blocking apps that are already setup. So licensed Office apps can still browse to Sharepoint, and open a file, email is still delivered in Outlook and file changes in OneDrive still sync in both directions. I want to stop all existing connections in their tracks with this policy.
The Access policy is setup with the following:
- Device not equal to Hybrid Entra Joined...
- User account equal to mine
- App equals Microsoft 365
- Client app equals Mobile and desktop
- Device equals PC
- Block and display a customised message
I have a separate Session policy that is blocking cut,copy,print,& download activities in a web browser.
Can anyone explain why it isnt working as I would expect?
Thanks for any help.
1 Reply
While investigating this issue I came across this https://samilamppu.com/2021/06/22/cloud-app-security-access-policies-common-use-cases/ from 2021 which says the following:
Native clients interactive sign-on can be seen in MCAS but when they are acquiring refresh-token it’s not visible in MCAS.
Looking at the existing Microsoft docs page for creating Access policies it says under the section, test your policy:
Sign out of all existing sessions before re-authenticating to your apps.
So if Access policies can only restrict interactive logins from client apps, that would explain why existing application sessions arent being restricted.
