Conditional Access - app enforced restrictions. Compliance with Hybrid Join or Compliant devices.
In this post I take a look at App enforced restrictions within conditional access.
Below is an example of typical corporate requirements which aim to keep your company’s data within the company and not ending up on users personal devices.
Current Setup
Hybrid Join is setup for corporate laptops
(for details on Hybrid join setup)
Most machines are managed through SCCM some are setup through Intune
I’ve included Macs in this policy as Jamf is in use passing compliance to Intune for details of how to set this up I have a guide below, you can exclude macs if not needed in the policy exclusion settings listed later on.
Corporate requirements example
. BYOD / Personal Windows PC’s and Macs must not be able to use Office Apps or other desktop apps to connect to Exchange / OneDrive / Sharepoint, users on these devices must use a browser.
. The browser session on BYOD / Personal PC’s, Macs must have additional restrictions to block downloads, users can still save data to the companies Onedrive.
. Corporate PC’s and Macs should continue to work as normal with full access through both Office applications and the browser.
. (Optional) Finally, the company already has MAM applied to Android and iOS devices these devices still need to continue using MAM with non enrollment.
Minimum Requirements
You will need Microsoft EMS E3 for each user you want to apply these rules to (you do not need E5)
Configuration
Given the corporate requirements above the basic aim is non Corporate PC’s and Macs to use a browser to access corporate data and corporate data cannot be downloaded using a browser. Below is the config.
WARNING — WARNING — WARNING
The following setting within Sharepoint Admin will turn the restriction on for the whole organisation so prepare to unscope to all users and scope it to the users you want.
(This change will raise a few eyebrows in Change control )
I’m currently raising a user voice for this as I believe Microsoft should not scope to all users and await the admin to then unscope it if needed.
Anyway here’s the settings
I’ll start with
Sharepoint
- Go to Office365.com and click Admin
2. Go to Sharepoint
3. Go to Access Control — Unmanaged devices — Choose Allow limited web only access
NOTE THE WARNING MENTIONED EARLIER, THE MOMENT YOU TURN THIS ON 2 CONDITIONAL ACCESS POLICIES SCOPED TO ALL USERS WILL BE GENERATED AND TURNED ON THAT BLOCK ANY ACCESS EXCEPT WEB ACCESS UNLESS THEY ARE HYBRID JOINED OR COMPLIANT
So now we are going to immediately alter these policies to suit our requirements
4. Go to Azure Active Directory, Conditional Access here you will find the 2 auto generated policies
They will be named [Sharepoint Admin center
5. Because as you will see in the next step these are scoped to all users you can either disable these policies until you are happy with the settings or change the scope of users or devices.
So in my example I’ll remove all users and scope to a group
Do this to both policies unless you are happy with this applying to everyone.
(This is the user voice I’ll raise as I believe a better way would be that these policies get created but not enabled and MS Docs would then show a second step to enable the policy and scope to users)
6) Further changes to your policies
I have changed the auto created sharepoint browser access policy to exclude Hybrid joined or compliant devices from being stopped from full browser access
Change > Conditions > Device State > Configure to Yes
In the Exclude Tick Device Hybrid and Device marked as compliant as I want corporate devices to still have full access
This is now the Browser policy complete
7) In the Managed Apps Policy I have excluded iOS and Android as I have these covered separately in a MAM policy (this is up to you to decide what device types to apply this to)
Exchange online / Office365
Exchange has a similar feature to Sharepoint where you can put it in read only mode, strangely when this is set unlike Sharepoint it doesn’t affect any users, and only takes effect if you create Conditional access policies. Here’s what you need to do.
- Open Powershell and connect to exchange Online
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
You may be prompted to login if so use a Global Admin or Exchange admin username password
Import-PSSession $Session -DisableNameChecking
If you now run get-owaMailboxpolicy
The Conditional Access policy is set to Off
Now run
Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -ConditionalAccessPolicy ReadOnly
If we now run
get-owaMailboxpolicy
We see that it is now set to read only
As stated above unlike Sharepoint there is no rushing to change Conditional access as this creates no CA policies and has no effect till you create CA Policies
2) Now to set up CA Policies for Exchange Online / Office 365
I’ve set 2 Policies
Policy 1 App Policy for Exchange
Select Apps Office 365 Exchange
Devices Exclude iOS and Android (again up to your preference)
Client Apps Modern Auth and other clients
On Grant Access Require one of either Hybrid join or compliant devices
Session Use App enforced restrictions
Policy 2 Browsers Access
Conditions > Client Apps Browser
Conditions > Device State Exclude Hybrid or or Compliant
Summing up what we have done
Browser access
You have a Hybrid domain joined device you access exchange online, you work as you have always worked there are no restrictions
You have a personal device you access your mail you can read your mail with a browser
However you will notice you cannot download attachments and in sharepoint you cannot download files
Office365 via Browser on Personal Device not enrolled or Hybrid Joined
Sharepoint Via Browser on Personal Device not enrolled or hybrid joined
App Access
You have a Hybrid domain joined device you access outlook through app or browser you work as you have always worked, there are no restrictions
Sharepoint or Office 365 via personal device not enrolled or hybrid joined
An example of trying to setup outlook on an non enrolled device
In conclusion
App enforced restrictions work really well for the majority of use cases I see with most companies wanting to keep their data within the organisation.
You may want to alter the policies and vary them from my examples, there are further powershell commands you can issue to Set-owa mailbox policy these include creating separate policies for different groups of users, you can also scope the Sharepoint to only affect certain sharepoint sites by using powershell
Links
Exchange / Office365
Sharepoint
