Microsoft Technical Takeoff: Windows and Microsoft Intune
Oct 24 2022 07:00 AM - Oct 27 2022 12:00 PM (PDT)

Whitelist apps through Conditional Access?

Contributor

Hello Techies!

TL:DR

  1. Goal: I want to block all apps in Conditional Access except ones I have approved.
  2. Problem: Not all Microsoft apps are visible in the GUI.. What do?

The long of it

I have poked around the issue for a while now, where I would like to limit access from iOS to unauthorized applications using Conditional Access policy but the native options leaves a lot to desire.

 

So not really able to use the portal to create a perfect whitelisted based app access I have also tried creating one through PowerShell but those results were mixed, it did appear in the portal but if someone were to open the policy in portal the content would disappear and the applicability of that policy was not exactly foolproof.

 

Sources for the CLI approach:

 

Any ideas how to approach it or if it is even reasonable/feasible?

 

Example 1: A good result could be that Intune, Teams and SharePoint is allowed (along with MS required components) and rest of the not approved apps would error out. 

Example 2: OR a blacklist where all admin portal are disabled (for example did not find a way to block Microsoft Office 365 Portal)

 

Both black and whitelist approaches are missing some key apps that really defeat the whole point.

5 Replies
I'm not sure what you're trying to achieve with this. I'm not seeing any *conditional* access (like "if not compliant then grant requiring MFA else block") here. It sounds like you're only trying to configure user access as a whole. Assuming that's what you want to do, then I doubt conditional access is what you need.

For instance; being able to (network) access the admin portals is one thing, but being authorized to do anything is another. That's a case for RBAC, PIM or maybe even some simple, portal-specific setting like "Restrict access to Azure AD administration portal" to block non-admins in AAD.

But, as said, I'm not sure I understand the end goal here. I might be totally misunderstanding you. Could you elaborate a bit?

Thanks for the reply Niels!

 

I think you got the gist of the plan. Regarding RBAC, it would only help if users do not have a license, in my case they do but we want to limit access from iOS entirely.

 

Here is an example of the potential policy.

Untitled.png

 

Unfortunately not all needed apps can be whitelisted :( (at least via GUI)

Hi Alo Press,

Feel this policy does harm more than good. As I’m understanding your situation, you want to block IOS devices from accessing apps in your tenant, and most likely Admins URLs like SP admin, Teams or O365 Admin. This is not going to work because if you whitelist Exchange Online, Exchange Admin url (outlook.office.com/ecp) gets whitelisted as well. As you mentioned, you don’t have away to exclude Office Admin url or not all MSFT show in the GUI.

I have been in the same boat before, I wanted a method to block access to my resources only from devices I whitelist, so I created policy to allow access to the tenant from managed devices only.

Hope this helps!
Moe

hi @Alo Press 

 

for example 1 you can take a look at app protection policies (mam) 


example 2 

To block access to portals, you have to use different solutions and configurations. E.g., you can block the azure ad portal for normal users. This is a builtin configuration setting in azure ad.

 

To block access for instance the endpoint portal you can use Defender for cloud apps in combination with conditional access. 

 

https://docs.microsoft.com/en-us/defender-cloud-apps/what-is-defender-for-cloud-apps


note. Defender for cloud apps is only applicable in the browser. 

 

Kind regards,

 

rene 

Thanks for the replies!

I am already implementing most of the recommended policies and security measures but I was exploring the option of leveraging Conditional Access to limit access to Azure resources in general. But from the responses it looks like that approach is not really something that is recommended of used in the community, and that is good to know! Thanks!