Limit Office 365 access to work provided devices

Copper Contributor

We are a small not-for-profit organisation with a Microsoft 365 Business Basic subscription.

 

Our users currently use Windows 10 Professional devices joined to an on-premises Windows Server 2016 domain, running Microsoft 365 for email and Office 2013 for office apps.

 

Currently they use Outlook 2013 to access their email and the mail profile contains their username and password.  They just start Outlook and are logged in automatically.

 

Looking for suggestions as to how we can enforce users can only login to Microsoft 365 using a work provided device to login via a browser to Microsoft 365.

 

One possible method would be to have the Office 365 login credentials stored in a file created by Powershell using Get-Credential, however I cannot find a way to get a browser session to use a credential file to authenticate login to Microsoft 365.

 

Thanks in advance

Nigel

 

7 Replies

@Kayak2 

 

Hi, the features you are looking for are not included within Microsoft 365 Business Basic I'm afraid.   You would need Device Based Conditional Access which comes with Intune and Azure AD Premium P1 to achieve this.

@Kayak2 You can also have a look at Microsoft 365 Business Standard that includes built-in MDM capabilities.

https://support.microsoft.com/en-ie/office/capabilities-of-built-in-mobile-device-management-for-mic...

 

I noticed that you're using Outlook 2013 so a heads up that Office 2013 clients connections to commercial Office 365 services will not be supported after October 13, 2020.

 

"Microsoft will not take any active measures to block older Office clients, such as Office 2013 and Office 2010, from connecting to Office 365 services. However, legacy clients attempting to connect to a modern, always up- to- date cloud service may experience performance and reliability issues. Customers will face an increased security risk, and may find themselves out of compliance depending on specific regional or industry requirements."

@ChristianBergstrom 

 

The built in MDM is decent but has far less capabilities, and as per the link you have provided for this;

 

** Access control for Windows 10 requires a subscription that includes Azure AD Premium and the device needs to be joined to Azure Active Directory.

@PeterRising Hello, I know you cannot compare it with Intune, but a "small non-profit org" maybe want have a look at some of the options available at least. But fair enough regarding the W10 devices ;)

@ChristianBergstrom 

 

Oh definitely worth mentioning it.  Good shout.  :smile:

@PeterRising It looks like our best option might be upgrading to Microsoft Business Premium which is about to get Azure Active Directory Premium P1 see this announcement

 

@Kayak2 

 

Yes I agree, this would be a good option for you.