Microsoft Tech Community Live:  Microsoft Teams Edition
November 09, 2021, 08:00 AM - 12:00 PM (PST)

Block Teams web client whilst allowing Teams desktop client - using proxy

%3CLINGO-SUB%20id%3D%22lingo-sub-2756889%22%20slang%3D%22en-US%22%3EBlock%20Teams%20web%20client%20whilst%20allowing%20Teams%20desktop%20client%20-%20using%20proxy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2756889%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20way%20to%20identify%20traffic%20from%20Teams%20web%20client%2C%20distinct%20from%20Teams%20desktop%20client%20so%20we%20can%20use%20proxy%20config%20to%20block%20Teams%20web%20client%20whilst%20allowing%20Teams%20desktop%20client%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20reasons%20for%20this%20specific%20ask%20and%20consideration%20of%20other%20options%20are%20below%3A%3C%2FP%3E%3CP%3Ewe%20are%20deploying%20Microsoft%20365%20in%20an%20environment%20for%20which%20a%20new%20tenant%20(tenant%20A)%20has%20been%20set%20up.%3CBR%20%2F%3EThe%20environment%20has%20on-prem%20Win%2010%20devices%20managed%20via%20SCCM%20and%20the%20devices%20currently%20don't%20have%20Teams%20or%20Outlook%20desktop%20clients%20installed.%3CBR%20%2F%3EThe%20environment%20is%20locked%20down%20with%20access%20to%20teams.microsoft.com%20currently%20blocked%20using%20proxy%20config%20to%20prevent%20users%20getting%20to%20Teams%20via%20the%20browser%20(and%20users%20don't%20even%20have%20the%20desktop%20client%2C%20which%20this%20would%20also%20block).%3CBR%20%2F%3EUsers%20currently%20have%20access%20to%20email%20on%20the%20parent%20company's%20tenant%20(tenant%20B)%2C%20using%20their%20separate%20parent%20company%20creds%20signing%20into%20outlook%20for%20the%20web%20in%20the%20browser.%20This%20is%20the%20extent%20of%20their%20use%20of%20M365%20cloud%20services%20-%20Outlook%20on%20the%20Web%20to%20parent%20company%20tenant.%3C%2FP%3E%3CP%3EAs%20part%20of%20rolling%20out%20Teams%2C%20the%20Teams%20client%20is%20being%20deployed%20and%20the%20proxy%20block%20of%20teams.microsoft.com%20is%20being%20removed.%3CBR%20%2F%3ERestrictTeamsSignInToAccountsFromTenantList%20registry%20setting%20is%20implemented%20so%20users%20can%20only%20sign-in%20to%20tenant%20A%20from%20Teams%20desktop%20client.%3CBR%20%2F%3Esign-in%20to%20tenant%20B%20Teams%20or%20indeed%20any%20tenant%20is%20possible%20via%20the%20web%20client%20however%20and%20there%20is%20a%20requirement%20to%20block%20this%20so%20the%20users%20can't%20use%20the%20Teams%20web%20client.%3CBR%20%2F%3EWe%20can't%20use%20tenant%20restrictions%20i.e.%20Restrict-Access-To-Tenants%20header%20in%20proxy%20to%20tenant%20A%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Ftenant-restrictions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Ftenant-restrictions%3C%2FA%3E)%20as%20the%20users%20need%20to%20be%20able%20to%20get%20to%20parent%20company%20tenant%20B%20for%20email%3CBR%20%2F%3EWe%20can't%20configure%20tenant%20B%20e.g.%20Conditional%20access%20to%20block%20Teams%20for%20a%20group%20as%20the%20global%20team%20who%20manage%20tenant%20B%20don't%20engage%20for%20these%20type%20of%20point%20solutions%20-%20to%20keep%20their%20tenant%20maintainable.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDue%20to%20the%20above%20constraints%20we%20think%20identifying%20some%20specific%20urls%20in%20proxy%20might%20be%20our%20best%20route%20but%20open%20to%20other%20suggestions%20on%20how%20to%20to%20block%20Teams%20web%20client%20whilst%20allowing%20Teams%20desktop%20client.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2756889%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eproxy%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETeams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2771253%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20Teams%20web%20client%20whilst%20allowing%20Teams%20desktop%20client%20-%20using%20proxy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2771253%22%20slang%3D%22en-US%22%3EHello%2C%20maybe%20a%20stupid%20idea%2C%20but%20did%20you%20try%20to%20implement%20a%20Conditional%20Access%20Policy%20to%20block%20access%20to%20%22Browser%22%20while%20allowing%20%22Mobile%20apps%20and%20desktop%20clients%22%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2771429%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20Teams%20web%20client%20whilst%20allowing%20Teams%20desktop%20client%20-%20using%20proxy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2771429%22%20slang%3D%22en-US%22%3EHello%2C%20you%20should%20be%20able%20to%20use%20Microsoft%20Cloud%20App%20Security%20Conditional%20Access%20App%20Control%20with%20an%20Access%20policy%20(desktop%20apps).%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fproxy-intro-aad%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fproxy-intro-aad%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2771573%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20Teams%20web%20client%20whilst%20allowing%20Teams%20desktop%20client%20-%20using%20proxy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2771573%22%20slang%3D%22en-US%22%3EHi%20-%20if%20we%20were%20able%20to%20configure%20the%20parent%20tenant%20then%20this%20is%20the%20sort%20of%20config%20we%20would%20implement.%20Unfortunately%20we%20don't%20currently%20have%20this%20option.%3C%2FLINGO-BODY%3E
Contributor

[UPDATE 29/09] We have identified that the Teams desktop client puts a Teams entry in the user-agent string and use a specific Chrome version that is different to the Chrome the users have so we are using this to block traffic to teams.microsoft.com and seems to working so far. Not all traffic has the user-agent though i.e. video. Initially we blocked teams.microsoft.com except user-agent Teams* but this blocked video. Does anyone have detail on Teams video traffic so we can investigate further options?   

-------------------------------------------------------------------------------------------------

Is there a way to identify traffic from Teams web client, distinct from Teams desktop client so we can use proxy config to block Teams web client whilst allowing Teams desktop client?

 

The reasons for this specific ask and consideration of other options are below:

we are deploying Microsoft 365 in an environment for which a new tenant (tenant A) has been set up.
The environment has on-prem Win 10 devices managed via SCCM and the devices currently don't have Teams or Outlook desktop clients installed.
The environment is locked down with access to teams.microsoft.com currently blocked using proxy config to prevent users getting to Teams via the browser (and users don't even have the desktop client, which this would also block).
Users currently have access to email on the parent company's tenant (tenant B), using their separate parent company creds signing into outlook for the web in the browser. This is the extent of their use of M365 cloud services - Outlook on the Web to parent company tenant.

As part of rolling out Teams, the Teams client is being deployed and the proxy block of teams.microsoft.com is being removed.
RestrictTeamsSignInToAccountsFromTenantList registry setting is implemented so users can only sign-in to tenant A from Teams desktop client.
sign-in to tenant B Teams or indeed any tenant is possible via the web client however and there is a requirement to block this so the users can't use the Teams web client.
We can't use tenant restrictions i.e. Restrict-Access-To-Tenants header in proxy to tenant A (https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions) as the users need to be able to get to parent company tenant B for email
We can't configure tenant B e.g. Conditional access to block Teams for a group as the global team who manage tenant B don't engage for these type of point solutions - to keep their tenant maintainable.

 

Due to the above constraints we think identifying some specific urls in proxy might be our best route but open to other suggestions on how to to block Teams web client whilst allowing Teams desktop client.

4 Replies
Hello, maybe a stupid idea, but did you try to implement a Conditional Access Policy to block access to "Browser" while allowing "Mobile apps and desktop clients"?
Hello, you should be able to use Microsoft Cloud App Security Conditional Access App Control with an Access policy (desktop apps).

https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad
Hi - if we were able to configure the parent tenant then this is the sort of config we would implement. Unfortunately we don't currently have this option.
Hi - similar to the above around conditional access, we would look at config of this nature if we could configure the parent company tenant. Also note the tenant in question doesn't have licensing which includes MCAS.
It's admittedly a bit of an odd and potentially contradictory requirement.