Allow MS Teams via Conditional Access but block other O365 Services

%3CLINGO-SUB%20id%3D%22lingo-sub-2622619%22%20slang%3D%22en-US%22%3EAllow%20MS%20Teams%20via%20Conditional%20Access%20but%20block%20other%20O365%20Services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2622619%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20been%20asked%20to%20see%20if%20the%20following%20is%20possible%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EAllow%20access%20to%20MS%20teams%20from%20anywhere%20for%20Voice%2FVideo%20with%20chat%2Cfile%20sharing%20disabled%3C%2FLI%3E%3CLI%3EBlock%20access%20to%20Exchange%20Online%2C%20SharePoint%20Online%2C%20OneDrive%20etc.%3C%2FLI%3E%3C%2FUL%3E%3CP%3EConditional%20access%20would%20normally%20be%20the%20way%20to%20go%20but%20reading%20around%20service%20dependencies%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fsecurity-compliance-overview%23%3A~%3Atext%3DConditional%2520access%2520policies%2520that%2520are%2CMicrosoft%2520Teams%2520%252D%2520on%2520any%2520client.%26amp%3Btext%3DHowever%252C%2520without%2520the%2520correct%2520policies%2Cto%2520access%2520those%2520resources%2520directly.%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%20it%20seems%20this%20would%20open%20up%20Exchange%20Online.%20Am%20i%20correct%20in%20this%20thinking%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2622619%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdministrator%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHow-to%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESettings%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2623073%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20MS%20Teams%20via%20Conditional%20Access%20but%20block%20other%20O365%20Services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2623073%22%20slang%3D%22en-US%22%3EYou%20want%20to%20have%20it%20all%20open%20in%20some%20situations%20or%20always%20off%3F%20(EXO%2COD%20etc)%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2623100%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20MS%20Teams%20via%20Conditional%20Access%20but%20block%20other%20O365%20Services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2623100%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F617530%22%20target%3D%22_blank%22%3E%40shocko%3C%2FA%3E%26nbsp%3BHi%2C%20not%20sure%20what%20you're%20asking%20either%20but%20Teams%20are%20depending%20on%20those%20services.%20With%20no%20EXO%20there's%20no%20scheduling%2C%20with%20no%20SharePoint%2FOneDrive%20there's%20no%20file%20sharing%20etc.%20You%20can%20read%20more%20detailed%20info%20here.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fsharepoint-onedrive-interact%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EHow%20SharePoint%20and%20OneDrive%20interact%20with%20Microsoft%20Teams%20-%20Microsoft%20Teams%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fexchange-teams-interact%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EHow%20Exchange%20and%20Microsoft%20Teams%20interact%20-%20Microsoft%20Teams%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

I have been asked to see if the following is possible:

 

  • Allow access to MS teams from anywhere for Voice/Video (we disable chat, file sharing via policy in the MS Teams admin portal)
  • Block access to Exchange Online, SharePoint Online, OneDrive etc. when accessed from outside our corporate IP range.

Conditional access would normally be the way to go as we have done this with things like 3rd party SAAS app but reading around service dependencies for the O365 service's here it seems that we cannot simply allow MS Teams only if we want teams to work and would need to allow Exchange Online. For example:

- I have a policy to block all SAAS applications integrated with AzureAD from remote access
- I have SAAS application I wish to allow to users off my corporate network so I add it as an exclusion to the policy

 

Now, is this application was MS teams, can I do this or would I need to make the Office 365 app available via conditional access ?


Am I correct in this thinking?

5 Replies
You want to have it all open in some situations or always off? (EXO,OD etc)

@shocko Hi, not sure what you're asking either but Teams are depending on those services. With no EXO there's no scheduling, with no SharePoint/OneDrive there's no file sharing etc. You can read more detailed info here.

 

How SharePoint and OneDrive interact with Microsoft Teams - Microsoft Teams | Microsoft Docs

 

How Exchange and Microsoft Teams interact - Microsoft Teams | Microsoft Docs

Overall you can restrict usage like above but rather using licensing restrictions, policy settings and app policys
All our users will use MS teams at some level either on-prem or remote so restricting using licensing is not an option.
Perhaps I explained poorly so I have updated the original description of the problem.