SOLVED

Bypass Conditional Access Policy for Some External Devices

%3CLINGO-SUB%20id%3D%22lingo-sub-2519723%22%20slang%3D%22en-US%22%3EBypass%20Conditional%20Access%20Policy%20for%20Some%20External%20Devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2519723%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20considering%20a%20CAP%20that%20blocks%20access%20to%20Sharepoint%2FOneDrive%20from%20non-Compliant%20devices%20via%20a%20Client%20Application%2C%20to%20prevent%20Sync%20of%20documents%20to%20unencrypted%20devices.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20concern%20that%20this%20policy%20would%20block%20collaboration%20with%20third%20parties%20using%20Teams%2C%20as%20they%20would%20be%20unable%20to%20comply%20with%20the%20CAP%20(and%20probably%20be%20unable%20to%20authorise%20the%20InTune%20agent%20on%20their%20device).%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20intend%20only%20to%20block%20Sync%20activities%2C%20but%20our%20testing%20indicates%20that%20this%20policy%20blocks%20access%20by%20Teams%20to%20the%20channel.%20This%20doesnt%20seem%20like%20an%20unusual%20requirement%20and%20we%20want%20to%20extend%20our%20use%20of%20Teams%20for%20third%20party%20collaboration.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20there%20any%20way%20of%20either%20registering%20a%20third%20party%20device%20as%20'trusted'%20for%20InTune%20purposes%20without%20downloading%20the%20InTune%20agent%2C%20or%20designing%20a%20CAP%20that%20blocks%20only%20the%20Sync%20operations%20of%20Sharepoint%2FOneDrive%2C%20so%20that%20Teams%20is%20unaffected%20%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2519723%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETeams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2523248%22%20slang%3D%22en-US%22%3ERe%3A%20Bypass%20Conditional%20Access%20Policy%20for%20Some%20External%20Devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2523248%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EAre%20the%20devices%20azure%20ad%20joined%20or%20hybrid%20azure%20ad%20joined%3F%3C%2FLINGO-BODY%3E
New Contributor

We are considering a CAP that blocks access to Sharepoint/OneDrive from non-Compliant devices via a Client Application, to prevent Sync of documents to unencrypted devices.

 

We have a concern that this policy would block collaboration with third parties using Teams, as they would be unable to comply with the CAP (and probably be unable to authorise the InTune agent on their device).

We intend only to block Sync activities, but our testing indicates that this policy blocks access by Teams to the channel. This doesnt seem like an unusual requirement and we want to extend our use of Teams for third party collaboration. 

Is there any way of either registering a third party device as 'trusted' for InTune purposes without downloading the InTune agent, or designing a CAP that blocks only the Sync operations of Sharepoint/OneDrive, so that Teams is unaffected ? 

 

3 Replies
Hi,

Are the devices azure ad joined or hybrid azure ad joined?
Hi - the devices are Azure AD Joined
best response confirmed by PhillipHamlyn (New Contributor)
Solution
No real option here unfortunately...
Are these guest users or users in your tenant?

You could look into Azure AD device filters and see if anything is possible there. But I would recommend setting them up with a trusted device or excluding them from the policy