SOLVED

Conditional Access (require compliant device) not working with Forms

%3CLINGO-SUB%20id%3D%22lingo-sub-301270%22%20slang%3D%22en-US%22%3EConditional%20Access%20(require%20compliant%20device)%20not%20working%20with%20Forms%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-301270%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20experienced%20a%20strange%20behavior%20today.%20We%20have%20Azure%20AD%20Conditional%20Access%20enabled%20and%20require%20a%20compliant%20device%20for%20full%20access%20on%20all%20webApps.%20Meaning%20we%20only%20allow%20browser%20based%20access%20from%20every%20non%20compliant%20device%20including%20limitations%20on%20downloading%20and%20saving%20files%20on%20such%20a%20device.%26nbsp%3B%3C%2FP%3E%3CP%3EUnfortunately%20we%20found%20that%20with%20Microsoft%20Forms%20you%20can%20download%20the%20results%20of%20a%20survey%20to%20your%20client%20version%20of%20Excel%20and%20also%20save%20it%20on%20the%20local%20non%20compliant%20device.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anyone%20help%20with%20that%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-301270%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EForms%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20Apps%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-301376%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20(require%20compliant%20device)%20not%20working%20with%20Forms%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-301376%22%20slang%3D%22en-US%22%3EBecause%20the%20files%20are%20stored%20inside%20form.microsoft.com%20not%20via%20sharepoint%20or%20onedrive%20like%20everything%20else%20that%20has%20the%20file%20level%20conditional%20access%20policy%20engine.%3CBR%20%2F%3E%3CBR%20%2F%3EPreventing%20from%20going%20to%20a%20URL%20is%20a%20different%20policy%20all%20together.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-301373%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20(require%20compliant%20device)%20not%20working%20with%20Forms%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-301373%22%20slang%3D%22en-US%22%3E%3CP%3EHey%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F869%22%20target%3D%22_blank%22%3E%40Chris%20Webb%3C%2FA%3E%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%20for%20your%20answer.%20So%20you%20think%20that%20Forms%20does%20not%20work%20at%20all%20with%20Conditional%20Access%3F%26nbsp%3B%3C%2FP%3E%3CP%3EI%20mean%20it%20can%20be%20added%20to%20restrict%20access%20to%20it%20with%20CA%20so%20why%20should%20it%20not%20work%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-301368%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20(require%20compliant%20device)%20not%20working%20with%20Forms%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-301368%22%20slang%3D%22en-US%22%3ETo%20my%20knowledge%20Forms%20doesn't%20have%20any%20security%20or%20compliance%20controls%20surrounding%20the%20product%20other%20than%20GDPR%20removal.%20I%20would%20recommend%20adding%20a%20uservoice%20for%20it%2C%20but%20right%20now%20there%20is%20nothing%20surrounding%20it%20from%20a%20security%20standpoint%2C%20so%20you%20may%20have%20to%20disable%20the%20use%20if%20that's%20a%20red%20flag.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-301352%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20(require%20compliant%20device)%20not%20working%20with%20Forms%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-301352%22%20slang%3D%22en-US%22%3E%3CP%3EHey%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F247948%22%20target%3D%22_blank%22%3E%40boneyfrancis%3C%2FA%3E%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eno%20our%20problem%20is%20the%20exact%20opposite.%20We%20CAN%20open%20and%20download%20Forms%20results%20to%20non%20compliant%20devices%20even%20though%20we%20restrict%20that%20with%20Conditional%20Access.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-301351%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20(require%20compliant%20device)%20not%20working%20with%20Forms%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-301351%22%20slang%3D%22en-US%22%3E%3CP%3EIronically%2C%20in%20your%20scenario%20you%20are%20looking%20to%20force%20the%20issue%20reported%20here%20an%20year%20back%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Forms%2FExcel-Spreadsheet-not-opening-to-show-Forms-responses%2Ftd-p%2F106253%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Forms%2FExcel-Spreadsheet-not-opening-to-show-Forms-responses%2Ftd-p%2F106253%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi everyone, 

 

I experienced a strange behavior today. We have Azure AD Conditional Access enabled and require a compliant device for full access on all webApps. Meaning we only allow browser based access from every non compliant device including limitations on downloading and saving files on such a device. 

Unfortunately we found that with Microsoft Forms you can download the results of a survey to your client version of Excel and also save it on the local non compliant device. 

 

Can anyone help with that? 

 

5 Replies
Highlighted
Highlighted

Hey @boneyfrancis

 

no our problem is the exact opposite. We CAN open and download Forms results to non compliant devices even though we restrict that with Conditional Access. 

Highlighted
To my knowledge Forms doesn't have any security or compliance controls surrounding the product other than GDPR removal. I would recommend adding a uservoice for it, but right now there is nothing surrounding it from a security standpoint, so you may have to disable the use if that's a red flag.
Highlighted

Hey @Chris Webb

 

thanks for your answer. So you think that Forms does not work at all with Conditional Access? 

I mean it can be added to restrict access to it with CA so why should it not work? 

 

 

Highlighted
Best Response confirmed by Julia Gratzl (New Contributor)
Solution
Because the files are stored inside form.microsoft.com not via sharepoint or onedrive like everything else that has the file level conditional access policy engine.

Preventing from going to a URL is a different policy all together.