SOLVED

Allow MS Teams via Conditional Access but block other O365 Services

Steel Contributor

I have been asked to see if the following is possible:

 

  • Allow access to MS teams from anywhere for Voice/Video (we disable chat, file sharing via policy in the MS Teams admin portal)
  • Block access to Exchange Online, SharePoint Online, OneDrive etc. when accessed from outside our corporate IP range.

Conditional access would normally be the way to go as we have done this with things like 3rd party SAAS app but reading around service dependencies for the O365 service's here it seems that we cannot simply allow MS Teams only if we want teams to work and would need to allow Exchange Online. For example:

- I have a policy to block all SAAS applications integrated with AzureAD from remote access
- I have SAAS application I wish to allow to users off my corporate network so I add it as an exclusion to the policy

 

Now, is this application was MS teams, can I do this or would I need to make the Office 365 app available via conditional access ?


Am I correct in this thinking?

12 Replies
You want to have it all open in some situations or always off? (EXO,OD etc)

@shocko Hi, not sure what you're asking either but Teams are depending on those services. With no EXO there's no scheduling, with no SharePoint/OneDrive there's no file sharing etc. You can read more detailed info here.

 

How SharePoint and OneDrive interact with Microsoft Teams - Microsoft Teams | Microsoft Docs

 

How Exchange and Microsoft Teams interact - Microsoft Teams | Microsoft Docs

Overall you can restrict usage like above but rather using licensing restrictions, policy settings and app policys
All our users will use MS teams at some level either on-prem or remote so restricting using licensing is not an option.
Perhaps I explained poorly so I have updated the original description of the problem.

@shocko 

 

I believe I am working on the same issue you are, and I believe I have found the answer. After working with MS support, I was instructed to block all apps except Office 365 Exchange Onilne and Office 365 SharePoint Online. After testing with this configuration, I found that users could not sign into Teams. This prompted me to do more research, and I found an article (see link and highlighted text below) that pointed out that Skype for Business Online is also a dependency for Teams. I have added this to the conditional access policy, but I have not been able to test it yet. I will follow up and let you know once this is done.

 

https://learn.microsoft.com/en-us/microsoftteams/security-compliance-overview#how-conditional-access...

 

How Conditional Access policies work for Teams

Microsoft Teams relies heavily on Exchange Online, SharePoint, and Skype for Business Online for core productivity scenarios, like meetings, calendars, interop chats, and file sharing. Conditional access policies that are set for these cloud apps apply to Microsoft Teams when a user directly signs in to Microsoft Teams - on any client.

Microsoft Teams is supported separately as a cloud app in Microsoft Entra Conditional Access policies. Conditional access policies that are set for the Microsoft Teams cloud app apply to Microsoft Teams when a user signs in. However, without the correct policies on other apps like Exchange Online and SharePoint, users may still be able to access those resources directly. For more information about setting up a conditional access policy in the Azure portal, see Microsoft Entra Quickstart.

Microsoft Teams desktop clients for Windows and Mac support modern authentication. Modern authentication brings sign-in based on the Azure Active Directory Authentication Library (ADAL) to Microsoft Office client applications across platforms.

Microsoft Teams desktop application supports AppLocker. For more information about AppLocker prerequisites, see requirements to use AppLocker.

We are chasing the same issue. Did this work for you - allow Teams everywhere - but block EXO on non-trusted devices?

@swindisch 

 

This did not work. It appears there may be issues with applications being blocked that cannot be bypassed in the CA policy. I have a ticket escalated with MS support, and I will update as soon as we have a resolution.

This is the answer I recieved from MS, but I told them where they could stick it and asked for an actual solution to this problem. I will let you know when I hear back.

OK, I got a response from them, they told me exactly what I told you, it is expected for Teams to request a token from Graph and as a client, the application will only request the token for the service not allowing us to exclude it from this requests.

MS Graph can only be excluded with Application Filters but this will affect other apps that request access to MS Graph, and practically everything that needs to evaluate user information from Entra will use Graph.
They have seen many cases attempting this but it cannot be completely isolated, the option that was given before, was to block O365 and exclude the dependencies, and block any other needed application.

The issue with an “All Apps” Conditional Access is that it will not be based on the applications but in the base of the Entra Service, so it blocks literally everything, so the usage is more recommended for blocking types if devices, authentication protocols, locations, etc. but not for isolating applications and less client applications that cannot be targeted.

I asked for another service or option, as this option is not what we were looking, and they told me that there is none, access to the applications can be blocked per app but general blockages most be done with Conditional Access, as they are our general authentication policies.
Practically right now we are limited, and more if its with Teams, because according to what they told me, the reason it has to many dependencies is because its constantly updated with features that depend on other services, so we might block everything and exclude the dependencies and in the future they might be a new feature that will add a new dependency blocking the application based on the policy.

Best Regards

XXXXXXXX
Support Engineer | Azure Identity POD Support


best response confirmed by shocko (Steel Contributor)
Solution

Thank you very much for this detailed response.  This is exactly what we are bumping into also.  We have folks using Teams (as expected) - on many different devices but we obviously do not want to grant EXO access to any device - thus we are stuck with the CAR stuff which is a major shortcoming.   We are exploring using a solution from Palo Alto - Prisma VPN - to insure that our fleet of "compliant / trusted" devices can have secure access to EXO from anywhere..  This feels beyond ridiculous but not sure we have any other options.  Again - thank you for taking the time to detail a great response here.

 

Ok, so I have not gotten another response from MS yet, but I did find this video that appears to be the answer. I have changed some configuration, but I have not tested yet. I am going to attempt to add a Condition, Filter for Device, and add exceptions for all of the registered Android devices. You may need to add them to all of the unsupported CA policies that may conflict with Android and Intune. It is all outlined in the video, though.

https://www.youtube.com/watch?v=uTQR_YuWZag
I can now confirm that with the DeviceIDs added to the Filter for Device conditions and the following list of excluded cloud apps, the Conditional Access policy is now working.

Microsoft Intune
Microsoft Intune Enrollment
Microsoft Stream Service
Microsoft Teams Service
Microsoft Whiteboard Services
Office 365 Sharepoint Online
ProjectWorkManagement
Skype for Business Online
1 best response

Accepted Solutions
best response confirmed by shocko (Steel Contributor)
Solution

Thank you very much for this detailed response.  This is exactly what we are bumping into also.  We have folks using Teams (as expected) - on many different devices but we obviously do not want to grant EXO access to any device - thus we are stuck with the CAR stuff which is a major shortcoming.   We are exploring using a solution from Palo Alto - Prisma VPN - to insure that our fleet of "compliant / trusted" devices can have secure access to EXO from anywhere..  This feels beyond ridiculous but not sure we have any other options.  Again - thank you for taking the time to detail a great response here.

 

View solution in original post