I'm exploring how to create a conditional access policy that restricts email access to only trusted locations but allows Teams access on mobile devices. The goal is to block email on mobile devices entirely, as leadership prefers that emails are only answered from managed computers on-site. My ideal scenario is this: when employees are on-site, they should be able to access email from a managed computer and use Teams on their phones if they're connected to the BYOD network. However, if they are off the network, they should have no access at all. From my research, it seems like this setup might not be feasible anymore due to how Microsoft has integrated the 365 suite into one resource. I could have sworn this was possible before! The reason for allowing Teams on mobile is for communication and meetings. I'm open to any ideas or suggestions. If it's truly an all-or-nothing situation, then I suppose that's the way it has to be, but we need to ensure we're restricting access to prevent unauthorized work after hours. Thanks in advance for any help!
5 Answers
Could you set up a Named Location of 0.0.0.0/0 to block everything and then create an exception for your office IP? That could help manage access.
You might still be able to manage applications individually. It can be a bit tricky to find the right GUIDs since the search function isn't very reliable unless you know the exact name of the app. Check out the enterprise apps section in the Entra admin portal; you can filter by Microsoft apps to get the GUIDs. Just keep in mind that conditional access policies aren't meant to be your first line of defense since they don't activate until strong authentication is required. Also, make sure to combine your location settings with other conditions, like compliant devices.
Have you thought about using an app protection policy instead? At least with that, you could enforce security controls on BYOD devices and even wipe company data from Outlook if someone leaves. Honestly, it seems a bit strange for management to ask for this, as it doesn’t really consider the user experience.
You're spot on—M365 services are now bundled together, so unfortunately, you can't control them separately anymore.
Heads up, Teams is not just a single service; it's built on several different services like Skype for Business for messaging and Exchange Online for calendars. So, if you're trying to allow access to Teams while blocking other services, it can get pretty complicated. It might be worth stepping back and reassessing what security risks you're actually looking to mitigate with this control.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures