Conditional access block outlook desktop. But I just can't seem to do it.

Conditional access block outlook desktop The access policy does not allow token issuance. For example, to block access to corporate resources from Chrome OS or other unsupported clients, configure a policy with a Device platforms condition that includes any device, excludes supported device platforms, and sets Grant control to Block access. Ideally anyone on an unmanaged computer should not even be able to open Outlook on the web. Sep 23, 2025 · Learn how to configure Conditional Access policies to target specific resources, actions, and authentication contexts in Microsoft Entra ID. Jan 6, 2022 · For non-compliant workstations, block M365 desktop apps but only allow their corresponding M365 web apps with no option to download any files - This works fine in all the apps (conditional access with an MCAS policy); Outlook on the web, Teams Web, SharePoint online, OneDrive online. Oct 29, 2024 · Conditional Access interprets signals, enforces policies, and determines if a user is granted access to resources. Jul 23, 2024 · Block access with Conditional Access for Unmanaged Devices In today’s digital world, protecting corporate data is crucial. The purpose is to ensure that company resources can only be accessed via secure, compliant, and Entra-joined devices. Conditional Access can block the use of unmanaged devices or non-corporate accounts across Office 365 apps. ) I am testing a conditional access policy with my test user on my test phone. Feb 7, 2024 · How can I restrict users to using Outlook to access emails on both managed and unmanaged devices and prevent them from using IMAP clients (e. Oct 23, 2024 · This tutorial describes the scenario for protecting your organization against downloads of sensitive data by unmanaged devices using Microsoft Entra ID Conditional Access app control. May 21, 2025 · Block Downloads to Unmanaged Devices using Conditional Access and Defender for Apps. Apr 3, 2020 · Question: How do I use Conditional Access to enable access to some apps, like Office 365, and block everything else? Organizations that don’t have time for in-depth analysis of which resources they should or shouldn’t block can implement Conditional Access in an ‘allow-list’ configuration, which blocks access to any Azure AD May 16, 2024 · Hello everyone, I tried to create conditional access policy with this scenario : Block user to access office 365 except from browser, and block download any file while accessing office 365 apps on the web I've configured CA policies like the pict… Jul 3, 2023 · I am having a problem customizing a conditional access policy and I am either running into a bug or am doing something wrong. For example, you might choose "All users" or a specific Nov 6, 2023 · My initial attempt, as mentioned in this post how to block the Outlook desktop app while allow them use the Outlook On the Web (OWA), was to block access through a Conditional Access policy. That doesn't seem to stop users from install Outlook, Teams, etc. Conditional access. I also configured two Conditional Access policies. We do app enforced restrictions and conditional access app control. Jun 19, 2024 · "Access has been blocked by Conditional Access policies. As a test, I created the following conditional access policy as shown below and applied it to User1. I managed to block attachment in owa but still have the option to save it to one drive. To do so, you can configure Microsoft Entra Conditional Access policies and device filters as described in this article. Before proceeding with the… Nov 12, 2021 · This conditional policy will block all mobile devices using Android/iOS/Windows Phone that aren’t MDM enrolled within intune from accessing Azure AD resources, but will still allow access through browser sessions. Jun 26, 2020 · Limit Access to Outlook Web Access, SharePoint Online and OneDrive using Conditional Access App Enforced Restrictions One of the scenario’s we can build with Conditional Access, is the scenario where we restrict access inside the web application itself. Wouldn't it be great to just simply block the use of personal computers in Microsoft 365? This would mean that access to Microsoft 365 could only be done on company-owned devices that were part of Jan 2, 2023 · Protect Office 365 data with Defender for Cloud Apps custom policies. To achieve your desired outcome, you can create separate conditional access policies for Windows, iOS, and Android devices to enforce the different access requirements. Jan 13, 2020 · What is the best way to block downloading files with sensitive data on to non-domain joined personal desktops using desktop client apps (Outlook, One Drive, Teams). We want to Block any Registered devices and any… Jul 24, 2025 · Calls made by service principals aren't blocked by Conditional Access policies scoped to users. May 19, 2018 · I need to block users using their Outlook desktop application using Azure Conditional Access (Office 365 Exchange Online Mobile apps and desktop clients). This can be used to provide users with access to Outlook on the web, but still protect company data. How do I force Outlook Mobile via Conditional Access? Step 1. Learn more: Apr 24, 2025 · Learn how to restrict attachment downloads in OWA on unmanaged devices using Outlook Web App mailbox policy and Conditional Access. Mozilla Thunderbird) using Conditional Access Policies? Aug 6, 2024 · Hi @James Chan_110 Please have a look at the Conditional Access policy: Create Conditional Access Policy: Under "Security," select "Conditional Access. Oct 5, 2023 · I'm currently working on restricting access for users whose phones are not enrolled in Intune to ensure the protection of corporate data. Jul 19, 2025 · Admins can learn how to allow access to new Outlook for Windows while blocking access to Outlook for web (formerly known as Outlook on the web, Outlook Web App, or OWA) using Conditional Access policies in Microsoft Entra ID. It will require that every company-owned device be enrolled in intune and that you block end-user enrolment of devices. com from personal laptops, you can use Conditional Access policies in Azure Active Directory. Haven’t looked at the CA portal in almost a year though. Jun 5, 2018 · I'm testing azure conditional access to create a rule that blocks the use of office 365 cloud and client apps from outside of the office network. , and permits downloading files to the user's personal desktop. on personal devices and using it against company policy. Discover how to restrict Outlook access on Windows devices using Conditional Access policies. Mar 9, 2024 · Is it possible to set up conditional access policies that allow users to install and use Teams specifically on their personal devices? Currently, I'm only able to select the entire suite of Office 365 apps, which unfortunately grants access to install other applications like Outlook, OneDrive, PowerPoint, etc. In windows i have the option to… Jun 17, 2024 · The "applications" in question include the Outlook Web App (not Exchange Online!), SharePoint Online, and by extension, OneDrive, Word Online, Teams, and others. com ,click on Intune on the right side, click on Conditional access. " This will ensure that users can only access Outlook Mobile and not the other Office 365 apps on their mobile devices. Additionally, if you want to block access to other Office 365 apps on mobile devices, you can create separate CA policies for those apps and set the access control to "Block. Mar 17, 2025 · We’re in the process of moving to M365 & need to setup Conditional Access to allow users, who are in a specific group, to access the Outlook mobile app (and another secure mail app) from their phones outside of our trusted IPs and block everybody else. We currently have a 12 hour session policy in place for certain apps, and we made sure to exclude Office 365 from this policy, however, it does not seem to work with user's accessing the New Outlook. Sep 30, 2020 · Set the conditions and in the end, in the access control, grant access only to Approved Client apps for Exchange Online which will block native mail app and will restrict users to use Outlook only. I' am expierencing wierd behaviour. The article assumes you might not have access to entitlement management, a feature you can use with Conditional Access. " When i go to Conditional Access tab to find the reason i dont get the list of our policies. It’s easy to create a conditional access that blocks O365 connections from non-domain joined devices, but we only want to stop the activation process while letting web and mobile work. However session policies applies to browser based apps,but not thick clients Jun 26, 2025 · Learn how to setup conditional access policies easily in Microsoft 365 with this step-by-step guide. In Nov 17, 2022 · Hey all, We’re looking for a creative solution to block O365 activation from non-domain joined (aka non-hybrid joined) machines while providing access to mobile apps and web formats. The only caveat is that the mobile app keeps asking to re-enter the password after some idle time, and because O365AVDONLY is active, it prevents the user from signing in. I tried using the quarantine Sep 8, 2025 · Conditional Access is the protection of regulated content in a system by requiring certain criteria to be met before granting access to the content. – Go to Conditional Access Step 2. She is not flagged as risky user and has no risky sign-ins. Prevent unmanaged devices from downloading or using data. Could you provide guidance on how to achieve this? Jun 1, 2018 · Conditional Access: Restrict access to Exchange Online and only grant access to company enrolled devices using the Outlook app June 1, 2018 by Martin Bengtsson post views: 10,948 Nov 12, 2024 · Use Conditional Access policies to block access to Teams or Outlook unless the device is marked as compliant, thus preventing untrusted devices from downloading data. Is there someone who knows how to achieve the goal? Thanks in advance. I already did something similar before by using app enforced restrictions for Exchange Online and SharePoint Online. Sep 25, 2024 · You can apply Conditional Access Policies in Azure AD to ensure that only corporate accounts can access Outlook. Follow this step-by-step guide to protect data. Nov 3, 2023 · I just want to block Outlook Anywhere ( connectivity feature that users can log in corporate Outlook 2016 account in Outlook desktop application via any external network. However, I'm encountering difficulties in restricting access to the professional inbox in the Outlook App on mobile… Jun 30, 2025 · This tutorial demonstrates how to use Microsoft Intune app protection policies with Microsoft Entra Conditional Access to block access to Exchange Online by users who are using an unmanaged iOS device or an app other than the Outlook mobile app to access Microsoft 365 email. All other users should be able to access mobile emails. For reference, to find May 28, 2025 · Hello, We’re exploring options for managing access to our native mobile suite of applications using Microsoft Intune and wanted to clarify the SDK's capabilities around conditional access and app/browser restrictions. … We currently block personal iOS devices from enrolling in our environment. Conditional Access policies at their simplest are if-then statements. Nov 5, 2025 · Explore Conditional Access conditions, including user risk, sign-in risk, and insider risk, to secure your organization's resources with tailored policies. GOAL: The CAP must permit a group of users to access a VDI environment (a Windows virtual desktop), while denying them the… Conditional access is the way. Aug 6, 2021 · I have been asked to see if the following is possible: Allow access to MS teams from anywhere for Voice/Video (we disable chat, file sharing via policy in the MS Teams admin portal) Block access to Exchange Online, SharePoint Online, OneDrive etc. Oct 26, 2023 · Applying any Conditional Access (CA) policy on SharePoint in Microsoft 365 is also applied to Teams. It does work by doing an exception for Office 365 Exchange Online app in the Conditional Access rule. Need: Block access to OWA outside our trusted IPs Block Jan 10, 2020 · This blog shows you how to implement one option for limiting Outlook access to the full desktop client on a PC to corporate owned devices. Nov 25, 2020 · I want to block users access to outlook from Outlook Desktop Application but let them access outlook from Outlook on the web (OWA) to improve security. Nov 12, 2024 · Goal: Block any non-company issued Windows devices from accessing company resources in our Entra environment. Jul 31, 2024 · Any policy can restrict users to access O365 only through the Outlook email client James Chan_110 450 Jul 31, 2024, 10:37 PM Hi All, Any policy can restrict users to access O365 only through the Outlook email client? Thanks. We also need to block access to OWA from any computer not behind our trusted IPs. Hi, We have a conditional access rule that states to access O365/SPO/EXO resources your iOS or Windows device must be enrolled and compliant. Now it seems those restrictions work with the Teams desktop client (cant download/sync/save) but not with the Outlook desktop client (works great for Outlook in the browser). In contrast, Conditional Access App Controls utilize Microsoft Defender for Cloud Apps (MDCA). Oct 3, 2024 · We use Outlook as our corporate email service, and we would like to block employees from signing into their personal email accounts (either via web or desktop application). Has anybody been able to figure out how to use Conditional Access rules to allow Teams to be accessed from External networks, but also NOT allow Outlook Desktop clients to connect to EXO from External? I've tried Granting access (with MFA) to only the Teams cloud app, and then blocking all other cloud apps, but Teams logins keep getting caught under the block rule. This is because these users have access to sensitive information about the company. On Windows, we would like to allow OWA from non-enrolled devices. These policies are put in to Report-only mode to start so administrators can determine the impact on existing users. 2 policies. Assign the Policy: Users and Groups: Specify the users or groups to which this policy will apply. But that users can log in Outlook in internal (… Dec 19, 2024 · Administrators can deny access to Office 365 services on any device other than a Cloud PC. In this article, learn about applying Conditional Access policies to external users. I am actually setting up CA policy to block Outlook Desktop App and Web Outlook outside the corporate network due to some security requirement, so i have change my outlook from cached to online mode but still CA is not blocking it. So to mitigate that, I wanted to set up a conditional access rule that would block access for all non-MS apps. Feb 23, 2024 · In this blog, I'll guide you through how to block access with Conditional Access for users working from unmanaged devices. Apr 22, 2024 · To restrict access to corporate Microsoft Office applications like Outlook, Excel, Teams, and SharePoint when users access portal. Jul 1, 2024 · We allow users to use the Outlook mobile app on a single unmanaged device but want to restrict them from using web browsers on personal devices to access stuff like our corporate OneDrive, Outlook and various other web apps. . However, some organizations want to block access to SharePoint files (upload, download, view, edit, create) yet allow their employees to use Teams desktop, mobile, and web clients on unmanaged devices. Block access to company email by insecure ActiveSync clients as described in following procedures: Mobile devices: To block email access from the following types of mobile devices, create the Conditional Access policy described in Require approved apps or app protection policies Dec 12, 2017 · Like the other reply, you can use Conditional Access to to achieve a similar result and block the way apps like MyMail connect, but it won't lock your users choice down to Outlook only. They are having to re-auth every 12 hours. Conditional access would normally be the way to go as we have done this with things like 3rd 2 days ago · Explore Microsoft Entra Conditional Access, the Zero Trust policy engine that integrates signals to secure access to resources. I received a recent requirement to block access to all Microsoft 365 applications, such as Exchange Online, SharePoint Online, OneDrive, Microsoft Teams, and Microsoft Forms etc. Off the top of my head you would block access to office apps, and exclude managed devices. Feb 15, 2023 · How to block We’ve established that blocking access to data via the installed app doesn’t work, but what about the web apps? For this I configured a Defender for Cloud Apps policy using Conditional Access App Control to block downloads when using the web application. yes. The magic to this method of restricting Outlook access is through AAD Conditional Access policies. Oct 24, 2023 · Before implementing the “Block access from desktop apps on unmanaged devices” conditional access policy, there are a few things to prepare for: Intune Management: ensure that all of your corporate devices are properly managed with Microsoft Intune; otherwise, many users might be blocked from accessing Microsoft 365 desktop apps. Mar 10, 2025 · I have implemented Conditional Access (CA) policies to block staff from signing into desktop applications on their personal devices. In this blogpost we check out the steps required to block access to webmail through conditional access. Status Quo: Some Users had configured Outlook Mobile on unmanaged (private) Devices in… Feb 15, 2023 · In this blog, I will guide you through the steps on how to configure limited web-only access for unmanaged devices with Conditional Access. Does anyone know how to block users from connecting to exchange 365 using the full outlook client\app remotely while allowing only Outlook web access? Im sure its a conditional access policy (Possibly app policy) but i cant figure out which one to deny fat client and allow web only. By following these steps, you can make sure that users use their Cloud PCs as their primary device. Jul 24, 2025 · Create a Conditional Access policy The following steps help create Conditional Access policies to block access to all apps except for Office 365 if users aren't on a trusted network. Jun 28, 2023 · Hi, Can someone help me to get this resolved, I need to block the attachment download from the Outlook app, If it is possible through Conditional access, please guide me. The problem is that you can use another e-mail application such as Windows 10 Mail to Sep 2, 2020 · So I'm trying to use a conditional access policy to block the Outlook mobile app from working on their device. Sep 14, 2017 · Conditional Access allows administrators to control what Office 365 apps users can gain access to based on if they pass/fail certain conditions. Thank you! Mar 4, 2019 · This week is all about using conditional access for blocking downloads. The results of these policies apply when the iOS devices aren't enrolled in a device management solution like Intune. We allow work from home (on a personal PC) with proper approval but have some restrictions in place. Using Conditional access policies with Cloud App Security, we can block file downloads which contains sensitive data by configuring Session policies. How can I effectively block this? Is there a setting within InTune? App Protection Policy doesn't seem to handle this. Oct 21, 2018 · Some companies will block access to Outlook on the web entirely because they don’t want users to be able to download their company data externally. But I just can't seem to do it. conditional access policies coupled with compliance policies. Mar 17, 2025 · Conditional Access policy to block access of outlook and sharepoint from Azure VDI not working. For example, personal Wi-Fi ). This includes the native mail app on the phone, any other mail app on the phone (including Outlook), as well as any browser on the phone. Use Conditional Access for workload identities to define policies that target service principals. Jun 15, 2022 · Discover how Office 365 Conditional Access helps secure remote access and protect Microsoft 365 data. For example, a payroll manager wants to access the payroll application and is required to perform Jul 17, 2023 · JimmySalian-2011 44,721 Jul 17, 2023, 10:19 AM Hi Matt, If you block access from unmanaged device ie: your home device in this case you should not be able to access Office Apps from this PC. The issue we are facing is that employees are logging into the laptop and then using the Outlook desktop application which then syncs and downloads all of their emails. 1 policy Set to block the desktop clients on all machines excluding domain joined and compliant devices. May 13, 2025 · Use an OWA Mailbox Policy to Block Attachment Download for the New Outlook for Windows The ConditionalAccessPolicy setting in an OWA mailbox policy can be configured to work with Entra ID conditional access so that OWA blocks access to attachments on unmanaged devices. Oct 4, 2020 · I would like to block mobile access to emails for specific users in my organization. office. Jun 11, 2021 · This process isn’t the same as the mobile device management (MDM) enrollment process, but this record is necessary so the Conditional Access policies can be enforced on the device. Set conditional access policies,” you’ll learn how to control access to your apps and corporate resources using conditional access policies, and how these policies can block legacy authentication methods and control access to SaaS apps. Any Feb 25, 2022 · So this means that on fx an Android devices, a user is restricted in how to access data through MS apps, but has full access through their Chrome browser. – Click New Policy Step 3. Jan 26, 2022 · Hi We have Microsoft 365 Business Premium -licenses. I was wondering whether it is possible to force some users to work via browser only? So that user could not login to Teams Desktop, for example. Learn best practices and secure email access with ease. Allow all, exclude domain joined or compliant devices, but set a session control to block downloads. You can also use Cloud App security (license needed) to control business sanctioned apps. 2nd policy, targeting the browser access. when accessed from outside our corporate IP range. Aug 27, 2025 · Hi Vincent, I have contacted support team as i cant see option of raising support request. The Conditional Access diag doesnt give any further help. Sep 27, 2023 · Conditional Access - Allow access to Teams, but block SharePoint Online We have Conditional Access policies in place that require everyone accessing any of our 365 apps to do so on a compliant device. Oct 24, 2023 · If you want to limit access to Outlook for iOS and Android, you need to obtain Microsoft Entra ID P1 or P2 licenses and use the conditional access policies discussed in Block all email apps except Outlook for iOS and Android using conditional access. Apr 30, 2020 · Block Microsoft Outlook on unmanaged Windows 10 Devices so your company data cant get out of your controlled environment. to start with ,go to https://portal. If restricting access May 17, 2019 · Using conditional access you can accomplish (almost) everything you want, security wise. This new feature strikes a middle ground, so users can still access Outlook on the web, but admins can use conditional access to restrict downloads from Outlook on the web […] Dec 3, 2018 · More specifically, about conditional access and enforced restrictions with Outlook on the web for Exchange Online. " Create a New Policy: Click on "New policy" to create a new Conditional Access policy. With the increasing use of personal devices for business, it has become Oct 12, 2022 · Is it possible to prevent the download, copy and paste of data on Windows 10 Unmanaged devices that have the Office 365 Windows Apps installed? I have been able to get this working with the web-based apps but would also like to apply this to the full windows apps. Improve security and control access in your organisation today. Apply Data Loss Prevention (DLP): Use DLP policies to prevent data sharing or downloading within Teams or Outlook by setting restrictions for documents containing sensitive data. I set up a new policy and it's blocking cloud acce Users: All users Cloud apps: All cloud apps (except Intune) Conditions: Device platforms Android and iOS, client apps Mobile apps and desktop clients Grant: Grant access, require App Protection Policy I tried testing it out by adding my account to a test Android phone I have. Jan 30, 2019 · In “Step 4. May 20, 2021 · Part of the Azure Active Directory Premium P1 license, with Conditional Access you control the conditions under which a user is granted or blocked access to Azure AD resources. When I first added the account, it did indeed ask for MFA to sign in. That’s good advice if a tenant has the necessary Entra P1 licenses and is willing to accept the loss of browser access to Teams. Jan 11, 2025 · In this blog post, I will show you the steps to block Microsoft 365 apps using Conditional access policy. Apr 18, 2023 · If you uncheck this option, it will block access to all mobile apps, including Outlook on iOS and Android. This tim… Mar 17, 2025 · Hi everyone, I have a question regarding a Conditional Access Policy and the New Outlook. No access is blocked even after enforcing the policy Options selected : Users- A test user Targetted Resources- Gmail,Ofice 365 exchange online,Office 365… Oct 5, 2018 · If you instead want to block attachments fully (when on a non-compliant device) we also support that! Steps to Configuring Conditional Access / Limited Access for Outlook on the Web To configure Outlook on the web Conditional Access follow these steps: Connect to Exchange Online Remote PowerShell Session Feb 14, 2025 · Hi There , Im currently evaluating an Conditional Access Policy to block unmanaged and not compliant devices to Exchange Online. How can I properly configure this so users can only access Office 365 through the Azure Virtual Desktop, and the mobile Outlook app? Any help would be appreciated. Additionally, we would like to block access to other email services, such as Gmail, both via web and desktop apps. g. Or that user can not add his/her account to Outlook Desktop etc. If a user wants to access a resource, then they must complete an action. azure. Jul 30, 2025 · New guidance from Microsoft suggests that tenants wanting to block access to OWA while allowing people to use the new Outlook should deploy a conditional access policy. Apr 10, 2025 · Exchange ActiveSync is a client protocol that synchronizes email and calendar data on desktop and mobile devices. I have tried creating a access policy in the Defender for Cloud Apps under conditional access but it's not currently working. Is it a Conditional Access Nov 3, 2025 · Important Microsoft recommends creating a Conditional Access policy for unsupported device platforms. Mar 30, 2021 · Hello , I trying for a few days to enable correct a Conditional Access Policy that blocks attachments to download. It would be great if I could block all Microsoft apps that we push to the user from Company Portal (Teams, Office, OneDrive, etc. Sep 24, 2023 · Learn how to block unmanaged devices using conditional access as well as restrict or limit browser access to M365 Apps. The conditional Access policy should block it that this device is not allowed. I think this is because Oct 10, 2017 · To block access to o365 exchange online (not for exchange on-prem) from windows and mac devices using mobile apps and desktop apps like outlook or other apps ,we need to create condition access policy with assignments and access controls. It just says "Not applicable". Apr 17, 2025 · Learn how administrators can block or limit access to SharePoint and OneDrive content on devices that aren't compliant or joined to a domain. gwxhs zmvxira ljikcel iiueojh wyty kckign rcpqwp yeugy ezux gpqf sydxrdf alny usgg ferbzg effjg