cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Whitelist apps through Conditional Access?

Alo Press
Iron Contributor

‎May 09 2022 07:11 AM

‎May 09 2022 07:11 AM

Whitelist apps through Conditional Access?

Hello Techies!

TL:DR

  1. Goal: I want to block all apps in Conditional Access except ones I have approved.
  2. Problem: Not all Microsoft apps are visible in the GUI.. What do?

The long of it

I have poked around the issue for a while now, where I would like to limit access from iOS to unauthorized applications using Conditional Access policy but the native options leaves a lot to desire.

 

So not really able to use the portal to create a perfect whitelisted based app access I have also tried creating one through PowerShell but those results were mixed, it did appear in the portal but if someone were to open the policy in portal the content would disappear and the applicability of that policy was not exactly foolproof.

 

Sources for the CLI approach:

 

Any ideas how to approach it or if it is even reasonable/feasible?

 

Example 1: A good result could be that Intune, Teams and SharePoint is allowed (along with MS required components) and rest of the not approved apps would error out. 

Example 2: OR a blacklist where all admin portal are disabled (for example did not find a way to block Microsoft Office 365 Portal)

 

Both black and whitelist approaches are missing some key apps that really defeat the whole point.

Labels:
3,172 Views
0 Likes
5 Replies
Reply
5 Replies
NielsScheffers

‎May 09 2022 07:45 AM

‎May 09 2022 07:45 AM

Re: Whitelist apps through Conditional Access?

I'm not sure what you're trying to achieve with this. I'm not seeing any *conditional* access (like "if not compliant then grant requiring MFA else block") here. It sounds like you're only trying to configure user access as a whole. Assuming that's what you want to do, then I doubt conditional access is what you need.

For instance; being able to (network) access the admin portals is one thing, but being authorized to do anything is another. That's a case for RBAC, PIM or maybe even some simple, portal-specific setting like "Restrict access to Azure AD administration portal" to block non-admins in AAD.

But, as said, I'm not sure I understand the end goal here. I might be totally misunderstanding you. Could you elaborate a bit?
1 Like
Reply
Alo Press

‎May 09 2022 07:55 AM

‎May 09 2022 07:55 AM

Re: Whitelist apps through Conditional Access?

Thanks for the reply Niels!

 

I think you got the gist of the plan. Regarding RBAC, it would only help if users do not have a license, in my case they do but we want to limit access from iOS entirely.

 

Here is an example of the potential policy.

Untitled.png

 

Unfortunately not all needed apps can be whitelisted :( (at least via GUI)

0 Likes
Reply
Moe_Kinani

‎May 10 2022 12:42 AM

‎May 10 2022 12:42 AM

Re: Whitelist apps through Conditional Access?

Hi Alo Press,

Feel this policy does harm more than good. As I’m understanding your situation, you want to block IOS devices from accessing apps in your tenant, and most likely Admins URLs like SP admin, Teams or O365 Admin. This is not going to work because if you whitelist Exchange Online, Exchange Admin url (outlook.office.com/ecp) gets whitelisted as well. As you mentioned, you don’t have away to exclude Office Admin url or not all MSFT show in the GUI.

I have been in the same boat before, I wanted a method to block access to my resources only from devices I whitelist, so I created policy to allow access to the tenant from managed devices only.

Hope this helps!
Moe
1 Like
Reply
Mr_Helaas

‎May 10 2022 04:19 AM - edited ‎May 10 2022 04:21 AM

‎May 10 2022 04:19 AM - edited ‎May 10 2022 04:21 AM

Re: Whitelist apps through Conditional Access?

hi @Alo Press 

 

for example 1 you can take a look at app protection policies (mam) 


example 2 

To block access to portals, you have to use different solutions and configurations. E.g., you can block the azure ad portal for normal users. This is a builtin configuration setting in azure ad.

 

To block access for instance the endpoint portal you can use Defender for cloud apps in combination with conditional access. 

 

https://docs.microsoft.com/en-us/defender-cloud-apps/what-is-defender-for-cloud-apps


note. Defender for cloud apps is only applicable in the browser. 

 

Kind regards,

 

rene 

0 Likes
Reply
Alo Press

‎May 10 2022 11:49 PM

‎May 10 2022 11:49 PM

Re: Whitelist apps through Conditional Access?

Thanks for the replies!

I am already implementing most of the recommended policies and security measures but I was exploring the option of leveraging Conditional Access to limit access to Azure resources in general. But from the responses it looks like that approach is not really something that is recommended of used in the community, and that is good to know! Thanks!
0 Likes
Reply