Conditional Access, allow everything only from our IP addresses and Teams app from anywhere

%3CLINGO-SUB%20id%3D%22lingo-sub-482588%22%20slang%3D%22en-US%22%3EConditional%20Access%2C%20allow%20everything%20only%20from%20our%20IP%20addresses%20and%20Teams%20app%20from%20anywhere%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-482588%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eour%20company%20is%20pretty%20new%20to%20adopting%20O365%20and%20we%20have%20the%20following%20business%20need.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20uses%20should%20only%20be%20able%20to%20access%20O365%20while%20they%20are%20in%20our%20office.%20We%20are%20using%20Conditional%20Access%20and%20locked%20it%20down%20to%20our%20IP%20addresses.%20So%20far%20so%20good.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20we%20are%20opening%20up%20a%20bit%20and%20we%20want%20to%20allow%20personal%20mobile%20phones%20of%20employees%20to%20access%20Teams%2C%20but%20without%20company%20data%20leaving%20the%20Teams%20app.%20For%20that%20we've%20created%20an%20App%20Protection%20Policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20we%20need%20to%20combine%20those%20requests%20and%20create%2Fchange%20Conditional%20Access%20in%20a%20way%20that%20if%20you%20want%20to%20use%20everything%20in%20O365%20you've%20to%20visit%20from%20our%20IP%20addresses%2C%20or%20if%20you%20are%20trying%20to%20login%20from%20a%20personal%20mobile%20you%20are%20allowed%20to%20use%20Teams.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20don't%20want%20to%20manage%20the%20users%20device.%20Just%20the%20app...%3CBR%20%2F%3E%3CBR%20%2F%3EHow%20do%20we%20do%20that%3F%3CBR%20%2F%3EThank%20you!%3CBR%20%2F%3EKind%20regards%3CBR%20%2F%3ECarsten%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-482588%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-482885%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%2C%20allow%20everything%20only%20from%20our%20IP%20addresses%20and%20Teams%20app%20from%20anywhere%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-482885%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20is%20no%20way%20for%20CA%20to%20know%20what%20a%20%22personal%20mobile%22%20is.%20You%20can%20configure%20policy%20that%20only%20allows%20access%20from%20mobile%20devices%20via%20the%20device%20condition%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fconditions%23device-platforms%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fconditions%23device-platforms%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20combine%20this%20with%20the%20location%20condition%20or%20any%20other%20conditions%20as%20needed.%20There%20is%20also%20the%20%22device%20state%22%20condition%2Frequirement%2C%20but%20that%20is%20sort%20of%20the%20opposite%20of%20what%20you%20are%20trying%20to%20do%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Frequire-managed-devices%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Frequire-managed-devices%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

Hello,

 

our company is pretty new to adopting O365 and we have the following business need.

 

All uses should only be able to access O365 while they are in our office. We are using Conditional Access and locked it down to our IP addresses. So far so good.

 

Now we are opening up a bit and we want to allow personal mobile phones of employees to access Teams, but without company data leaving the Teams app. For that we've created an App Protection Policy.

 

Now we need to combine those requests and create/change Conditional Access in a way that if you want to use everything in O365 you've to visit from our IP addresses, or if you are trying to login from a personal mobile you are allowed to use Teams.

 

We don't want to manage the users device. Just the app...

How do we do that?
Thank you!
Kind regards
Carsten

1 Reply
Highlighted

There is no way for CA to know what a "personal mobile" is. You can configure policy that only allows access from mobile devices via the device condition: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditions#device-platfor...

 

You can combine this with the location condition or any other conditions as needed. There is also the "device state" condition/requirement, but that is sort of the opposite of what you are trying to do: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/require-managed-devices