Apr 25 2019 04:23 AM - edited Apr 25 2019 04:34 AM
Hello,
our company is pretty new to adopting O365 and we have the following business need.
All uses should only be able to access O365 while they are in our office. We are using Conditional Access and locked it down to our IP addresses. So far so good.
Now we are opening up a bit and we want to allow personal mobile phones of employees to access Teams, but without company data leaving the Teams app. For that we've created an App Protection Policy.
Now we need to combine those requests and create/change Conditional Access in a way that if you want to use everything in O365 you've to visit from our IP addresses, or if you are trying to login from a personal mobile you are allowed to use Teams.
We don't want to manage the users device. Just the app...
How do we do that?
Thank you!
Kind regards
Carsten
Apr 25 2019 10:30 AM
There is no way for CA to know what a "personal mobile" is. You can configure policy that only allows access from mobile devices via the device condition: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditions#device-platfor...
You can combine this with the location condition or any other conditions as needed. There is also the "device state" condition/requirement, but that is sort of the opposite of what you are trying to do: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/require-managed-devices