Nov 06 2023 04:10 PM - edited Nov 06 2023 11:38 PM
Greetings,
I'm opening this discussion to speak about how to block access to Exchange Online from any email client (Outlook, Windows 10 Mail, new Outlook for Windows, third-party client) on Windows devices (either Intune-unmanaged, Intune-managed, Microsoft Entra joined, Microsoft Entra registered, Microsoft Entra hybrid joined). Outlook web is only allowed.
TEST 1
My initial attempt, as mentioned in this post how to block the Outlook desktop app while allow them use the Outlook On the Web (OWA), was to block access through a Conditional Access policy.
Results: I realized it isn't applicable because even if it meets the goal, however it is also blocking applications like Microsoft Teams.
TEST 2
I modified the CA policy by allowing access from compliant devices or hybrid joined:
Results: In this way, I can force clients to be compliant (Intune-managed) or hybrid joined, at least; however, I cannot control access from email clients (consider, for example, a scenario in which end-users have Outlook installed for opening file in MSG or EML format).
TEST 3
The only way I found to achieve the goal was to take action on Exchange Online, by manipulating these properties for each mailbox via PowerShell (Set-CASMailbox) :
It seems even if blocked (2), however I can still configure and access to mailbox via Windows Mail.
I also realized (Welcome Sir !!! 🙂) even if the above properties appear at Plan level (Get-CASMailboxPlan), however it isn't possible to set them (Set-CASMailboxPlan); but it is possible to disable, for example, IMAP and POP (?),
This solution assumes running a PowerShell script for setting these properties on new mailbox creation.
Any other suggestion ?