question

09254178 avatar image
0 Votes"
09254178 asked sikumars answered

Conditional access: block browser but allow app login

Hi,
We want to use 'App protection policies' to limit access to our data, and not having to manage all of our mobile devices.
But App protection policies only applies to known apps, and not browser access (afaik) - correct me if I'm wrong. So this means that on fx an Android devices, a user is restricted in how to access data through MS apps, but has full access through their Chrome browser.
So to mitigate that, I wanted to set up a conditional access rule that would block access for all non-MS apps. But I just can't seem to do it. I think I need 2 rules, one that allows access to MS apps (with MFA etc), and one that blocks access from non-MS apps.
Can anyone point me in the right direction? Is it even possible, or should it be done in another way?

mem-intune-application-managementazure-ad-conditional-access
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

3 Answers

sikumars avatar image
0 Votes"
sikumars answered

@09254178 ,

Thanks for sharing your findings here. Could you please "accept your answer as verified"as this would help others in the community who experience a similar problem.

Yes, as you mentioned, when dealing with multi-client apps scenarios, you can always create multiple policy to fulfill your requirements, since these approach are commonly used when requiring and blocking web applications but allowing mobile or desktop apps.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions#client-apps

Furthermore, instead of including all cloud app, try using individual Microsoft cloud applications in the app section (such Office 365 which include multiple related child apps or services ) , because when including all cloud app, this policy impacts complete access in browser including the Azure portal.

In case if you had no other option than Including 'All cloud apps' , make sure you have setup emergency access accounts in Azure AD to prevent you from being accidentally locked out of your Azure Active Directory (Azure AD). To learn more, refer How to manage emergency access accounts in Azure AD.

Hope this help.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EswarKoneti-MVP avatar image
0 Votes"
EswarKoneti-MVP answered 09254178 commented

Required client apps list for conditional access is given here https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant#require-approved-client-app
Microsoft Edge browser is one of the approved app that you can apply the CA policy.
For non-approved apps, if they try to connect to o365 for authentication, CA policy will block it because of the unapproved client app.
There is no way to make the custom app as client approved app for now, it is only the Microsoft apps.

Thanks,
Eswar
www.eskonr.com

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

09254178 avatar image 09254178 ·

Hi,
Are you saying, that if I create a CA rule to enforce MFA for approved MS apps, then other apps (non MS like Chrome) will be blocked? That is not what I see happening. I thought you should have a specific CA rule to say: non-MS apps are blocked. And that is what I can't seem to get working.
Per.

0 Votes 0 ·
09254178 avatar image
1 Vote"
09254178 answered

Thanks Eswar for your reply. It didn't realy address my question exactly, but it sent me in the right direction.
My question was how to block for browser access and allow app access (since app behaviour can be managed with an app protection policy).

I have found that the answer is easy, you just have to understand the meanings of the definitions when setting up CA.

2 rules are needed:
- 1 to allow access to apps. Under conditions -> Client apps, include 'Mobile apps and desktop clients'. Then under Grant -> select 'Grant access' and choose MFA and what you need.
- Then add another Conditional Access rule to block access. Under Conditions -> Client apps, include 'Browser' (and Legacy apps). Then under Grant -> choose Block.
- both rules need to include 'All cloud apps'. Thats what confused me, cause it didn't seem obvious to me, that it should be included, when I wanted to restrict access to cloud apps. But I guess it makes sense...

Thats all that is needed, quite easy. Now OWA and portal.office.com access is disallowed, but access through the official apps are allowed.

Hope it can help others.
Regards, Per.




5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.