Microsoft Technical Takeoff: Windows and Microsoft Intune
Oct 24 2022 07:00 AM - Oct 27 2022 12:00 PM (PDT)
SOLVED

how to block the Outlook desktop app while allow them use the Outlook On the Web (OWA)

Contributor

I want to block users access to outlook from Outlook Desktop Application but let them access outlook from Outlook on the web (OWA) to improve security.

 

Is there someone who knows how to achieve the goal?

Thanks in advance.

 

6 Replies
best response confirmed by Arthur_wang (Contributor)
Solution

You can use a Conditional Access policy to block desktop apps.

 

Assignments

Conditions > Client apps > Mobile apps and desktop clients

 

Grant

Block Access

Any suggestion about how to block the desktop clients only on unmanaged devices?
I intend to block Outlook only, not the other O365 Apps.
Thanks!
Hi

You could try to target Exchange online as the cloud app and as client app conditions the mobile and desktop clients apps and configure it on block (exclude compliant devices)

Just curious but why only blocking outlook? :)

Hi @Rudy_Ooms_MVP 

Thanks for the suggestion.

I am not sure how to use block access and exclude compliant devices.

I was able to target "Office 365 Exchange Online". Under conditions the device platform checked Windows and Mac and on client Apps checked all but the Browser option. For Grant, I checked "Require device to be marked as compliant". This way, it limits Outlook from opening and it does show the message about enrolling the device. However, it also limits any other O365 App.

A current requirement from InfoSec is not allow local Outlook data (OSTs or PSTs) on personal devices. So, my current thinking is to allow Outlook online on personal devices and block the desktop client.

Regards.

I would recommend just to make sure users can only access your office365 data when the device is compliant.. when not ...they must use the browser... Plain and easy :)... Make sure you setup mcas / defender for cloud apps to limit the download/copy paste etc or label documents at download

And when all your devices are managed you can do anything you want with them to get compliant with infosec rules
Thanks for your suggestion.
Best Regards!