Sep 07 2020 01:58 AM
Hello,
i got a question:
We are planning to Buy Microsoft 365 Business Premium and Microsoft 365 Business Standard + Intune Device License.
My problem is that our Company doesn´t want to have Access to Mail/Onedrive/Microsoft Applications ... on private Devices.
How can i block the Access? The Devices will be Managed by Intune, Win10 Pro, IOS and maybe some Samsung Galaxy´s.
Is There an option to only allow managed devises to Access Microsoft Data? And Do i need some additional Lisense?
Best Regards,
Phil
Sep 07 2020 02:54 AM - edited Sep 07 2020 03:00 AM
@RauschNauti Hi, as far as I understand from the service description for M365 Business Premium you should be all set with the licenses (CA and Intune). There are a lot of experts in the community on MDM/MAM so you'll probably get additional answers but yes, you can achieve what you want. I'd like to direct you to the docs for guidance so maybe start here?
https://docs.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/require-managed-devices
Sep 17 2020 02:18 AM
Hi and Thanks,
i think i can block the access to Cloud apps. But can i also block the Access on iOS Mail-App or installed Outlook Client on a PC, which is not registered in Intune/Azre?
Best Regards 🙂
Sep 17 2020 03:59 AM
@RauschNauti Hello! As mentioned I usually don't configure these settings, but see the tutorial and the other link for step-by-step guidance.
"Learn about using app protection policies with Conditional Access to protect Exchange Online, even when devices aren't enrolled in a device management solution like Intune."
https://docs.microsoft.com/en-us/mem/intune/protect/tutorial-protect-email-on-unmanaged-devices
'Block all email apps except Outlook for iOS and Android using conditional access'
There are a couple of different approaches as you will see.
Sep 21 2020 03:28 PM - edited Sep 21 2020 03:29 PM
Hi @RauschNauti,
As mentioned in this thread, the easiest way to block access is to use Conditional Access. Set a rule for Office 365 and set the grant condition to "require the device to be marked as compliant", an un-managed device will never be compliant.
If you want to ensure that your users are only using approved apps, consider adding the "Require approved client app" to your grant policy as well (only applies to iOS and Android).
Think this link has already been shared, but I'll add it anyways. Conditional Access require managed device - Azure Active Directory | Microsoft Docs
This goes without saying, but test on a small scale before deploying company-wide. 🙂
You will need Azure Active Directory Premium P1 or P2 to use Conditional Access.