Intune Conditional Access Policies

%3CLINGO-SUB%20id%3D%22lingo-sub-874059%22%20slang%3D%22en-US%22%3EIntune%20Conditional%20Access%20Policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-874059%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20quite%20new%20with%20using%20Intune%2C%20I%20was%20trying%20to%20figure%20out%20if%20there%20was%20a%20way%20that%20I%20could%20create%20a%20conditional%20access%20policy%20which%20would%20allow%20a%20device%20that%20has%20been%20enrolled%2C%20the%20ability%20to%20access%20office%20online%20applications%20(word%20online%2C%20excel%20etc)%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAt%20the%20moment%20the%20organisation%20has%20a%20conditional%20access%20policy%20that%20prevents%20users%20from%20outside%20the%20organisation%2C%20access%20to%20desktop%20versions%20of%20the%20applications%20such%20as%20outlook%20unless%20I%20add%20them%20to%20the%20exclusion%20list.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20same%20goes%20for%20mobile%20access%2C%20users%20added%20to%20the%20excluded%20list%2Fgroup%20will%20be%20able%20to%20have%20office%20applications%20on%20their%20mobile%20devices.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20like%20a%20conditional%20access%20policy%20for%20enrolled%20windows%20devices%20(laptops%2FPCs)%20so%20that%20they%20are%20able%20to%20access%20office%20online%20applications%20only%2C%20is%20this%20possible%20and%20what%20would%20be%20the%20best%20way%20to%20go%20about%20it%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20forgot%20to%20mention%2C%20the%20device%20should%20be%20able%20to%20access%20the%20applications%20from%20any%20location.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-874059%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-874322%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20Conditional%20Access%20Policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-874322%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F403129%22%20target%3D%22_blank%22%3E%40Dwayne05%3C%2FA%3E%26nbsp%3BIt%20all%20depends%20on%20how%20you%20have%20configured%20the%20existing%20CA%20policies.%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20the%20user%2Fdevice%20fall%20into%20another%20CA%20policy%20that%20blocks%20online%20apps%20(or%20all%20apps)%20then%20you%20will%20first%20need%20to%20update%20that%20CA%20policy%20to%20exclude%20these%20users%2Fdevice.%20You%20can%20then%20create%20a%20new%20policy%20that%20does%20a%20Grant%20access%20if%20the%20user%2Fdevice%20meet%20your%20criteria.%26nbsp%3B%3C%2FP%3E%3CP%3EA%20sample%20CA%20policy%20will%20be%20the%20one%20below.%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EUsers%3A%20All%20users%3C%2FLI%3E%3CLI%3EApp%3A%20(Select%20all%20O365%20Online%20apps)%3C%2FLI%3E%3CLI%3ECondition%3A%20Is%20Compliant%3C%2FLI%3E%3CLI%3ELocation%3A%20Exclude%20Trusted%20network%3C%2FLI%3E%3CLI%3EAccess%3A%20Grant%20Access%3C%2FLI%3E%3C%2FUL%3E%3CP%3EOnce%20you%20have%20this%20policy%20any%20user%20that%20doesn't%20have%20a%20compliant%20(enrolled%20device)%20will%20not%20be%20able%20to%20access%20Office%20365%20online%20apps.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi Everyone,

 

I'm quite new with using Intune, I was trying to figure out if there was a way that I could create a conditional access policy which would allow a device that has been enrolled, the ability to access office online applications (word online, excel etc)?

 

At the moment the organisation has a conditional access policy that prevents users from outside the organisation, access to desktop versions of the applications such as outlook unless I add them to the exclusion list.

 

The same goes for mobile access, users added to the excluded list/group will be able to have office applications on their mobile devices.

 

I would like a conditional access policy for enrolled windows devices (laptops/PCs) so that they are able to access office online applications only, is this possible and what would be the best way to go about it?

 

I forgot to mention, the device should be able to access the applications from any location.

 

Thanks

1 Reply

@Dwayne05 It all depends on how you have configured the existing CA policies. 

If the user/device fall into another CA policy that blocks online apps (or all apps) then you will first need to update that CA policy to exclude these users/device. You can then create a new policy that does a Grant access if the user/device meet your criteria. 

A sample CA policy will be the one below. 

  • Users: All users
  • App: (Select all O365 Online apps)
  • Condition: Is Compliant
  • Location: Exclude Trusted network
  • Access: Grant Access

Once you have this policy any user that doesn't have a compliant (enrolled device) will not be able to access Office 365 online apps.