Intune Conditional Access Policies

Copper Contributor

Hi Everyone,


I'm quite new with using Intune, I was trying to figure out if there was a way that I could create a conditional access policy which would allow a device that has been enrolled, the ability to access office online applications (word online, excel etc)?


At the moment the organisation has a conditional access policy that prevents users from outside the organisation, access to desktop versions of the applications such as outlook unless I add them to the exclusion list.


The same goes for mobile access, users added to the excluded list/group will be able to have office applications on their mobile devices.


I would like a conditional access policy for enrolled windows devices (laptops/PCs) so that they are able to access office online applications only, is this possible and what would be the best way to go about it?


I forgot to mention, the device should be able to access the applications from any location.



1 Reply

@Dwayne05 It all depends on how you have configured the existing CA policies. 

If the user/device fall into another CA policy that blocks online apps (or all apps) then you will first need to update that CA policy to exclude these users/device. You can then create a new policy that does a Grant access if the user/device meet your criteria. 

A sample CA policy will be the one below. 

  • Users: All users
  • App: (Select all O365 Online apps)
  • Condition: Is Compliant
  • Location: Exclude Trusted network
  • Access: Grant Access

Once you have this policy any user that doesn't have a compliant (enrolled device) will not be able to access Office 365 online apps.