SOLVED

Block Outlook-Client on unmanaged Win10

%3CLINGO-SUB%20id%3D%22lingo-sub-2138330%22%20slang%3D%22en-US%22%3EBlock%20Outlook-Client%20on%20unmanaged%20Win10%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2138330%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Emy%20customer%20wants%20to%20block%20the%20Outlook-Client%20on%20unmanaged%20Win10-Devices%20(private%20PCs)%2C%20but%20Teams-Client%20should%20work.%3C%2FP%3E%3CP%3EI%C2%B4ve%20done%20some%20testing%20with%20Conditional%20Access%2C%20MCAS%20and%20App-Protection-Policies.%20But%20either%20Outlook-Client%20AND%20Teams-Client%20were%20blocked%20or%20only%20Teams-Client%20blocked%20and%20with%20Outlook-Client%20I%20got%20a%20connection%20to%20EXO.%3C%2FP%3E%3CP%3EOnly%20Browser%20is%20not%20an%20option%20for%20my%20customer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20Ideas%20about%20this%20question%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EMarkus%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2138330%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2138354%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20Outlook-Client%20on%20unmanaged%20Win10%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2138354%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F667351%22%20target%3D%22_blank%22%3E%40MarkusDi%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20recommend%20that%20you%20use%20a%20Conditional%20Access%20policy%20and%20set%20it%20up%20to%20block%20non-compliant%20and%20non-Hybrid%20Azure%20AD%20joined%20devices.%20Please%20note%20that%20you%20would%20need%20an%20Exchange%20Online%20authentication%20policy%20to%20strictly%20forbid%20legacy%20authentication%20apps%20to%20connect.%20Legacy%20Authentication%20does%20not%20care%20for%20Conditional%20Access%20policies.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22NicklasAhlberg_1-1613457292888.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F255182iD5070EB1FEB4F522%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22NicklasAhlberg_1-1613457292888.png%22%20alt%3D%22NicklasAhlberg_1-1613457292888.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%2F%2FNicklas%20Ahlberg%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.nicklasahlberg.se%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.nicklasahlberg.se%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2138409%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20Outlook-Client%20on%20unmanaged%20Win10%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2138409%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F966112%22%20target%3D%22_blank%22%3E%40NicklasAhlberg%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethis%20Policy%20would%20block%20unmanaged%20devices%20completly.%3C%2FP%3E%3CP%3EBut%20they%20should%20be%20able%20to%20use%20Teams-Client%20on%20unmanged%20devices.%20%22only%22%20the%20use%20of%20outlook-client%20should%20be%20restricted...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EMarkus%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi All,

 

my customer wants to block the Outlook-Client on unmanaged Win10-Devices (private PCs), but Teams-Client should work.

I´ve done some testing with Conditional Access, MCAS and App-Protection-Policies. But either Outlook-Client AND Teams-Client were blocked or only Teams-Client blocked and with Outlook-Client I got a connection to EXO.

Only Browser is not an option for my customer.

 

Any Ideas about this question?

 

Regards,

Markus

5 Replies

Hello @MarkusDi 

 

I recommend that you use a Conditional Access policy and set it up to block non-compliant and non-Hybrid Azure AD joined devices. Please note that you would need an Exchange Online authentication policy to strictly forbid legacy authentication apps to connect. Legacy Authentication does not care for Conditional Access policies. Disable Basic authentication in Exchange Online | Microsoft Docs

 

NicklasAhlberg_1-1613457292888.png

 

//Nicklas Ahlberg

 

https://www.nicklasahlberg.se 

 

Hello @NicklasAhlberg 

this Policy would block unmanaged devices completly.

But they should be able to use Teams-Client on unmanged devices. "only" the use of outlook-client should be restricted...

 

Regards,

Markus

@MarkusDi 

 

You could try to just block Exchange Online app but I am sure it will probably interfere with some Teams, OneDrive and SPO functionality. In this case I would use MAM to deploy an MS Edge policy. 

NicklasAhlberg_0-1613467942203.png

 

@NicklasAhlberg  yes, it will interfere in OneDrive/SFB and Teams .. I have tested on my environment 

Best Response confirmed by MarkusDi (Occasional Contributor)
Solution

now we use Windows Virtual Desktop and block private devices completly.

 

Thanks for your help.

 

Best regards,

Markus