Prevent access to personal accounts from Office 365

Matt Pollock 246

Hello,

I have been given the task of researching and implementing restrictions within our organization, specifically regarding user access to personal accounts and services from within the Office 365 app suite.

For example, by default, there appears to be no restrictions within any Office application that prevents users adding services and accounts from non-corporate Microsoft accounts (Outlook.com, OneDrive, Dropbox, Gmail etc )

I need to understand if/how any restrictions/policies can be created applied at an organization level, and which Microsoft admin centres they need to be applied in.

Example scenarios:

Users can connect personal email accounts and storage services within OWA and Outlook.

Users can connect personal OneDrive service within corporate apps - Teams, Sharepoint, Word, Excel etc.

This poses a data loss issue if users are able to connect to personal accounts and copy data between corporate and personal services.

Ideally I would like to think there is a way to preventing access to personal email and storage accounts from within corporate Office apps at source - ie deny access, rather than allow users to connect and prevent data loss using file type policies and DLP rules for example.

I realise this is a big topic, with many different MS services potentially forming part of a solution.

Any ideas or advice on where to start with navigating this would be apreciated?

Note - We are licensed using Office 365 E3 and EMS E5, so do not have access to all Purview features, and potentially other related services as far as I understand.

JimmySalian-2011 42,071 Reputation points

2023-07-17T15:00:47.6366667+00:00

Hi Matt,

Basically you can start with Intune and Conditional Access policies to lockdown the apps, with the licenses you have it is possible few links you can start is - https://video2.skills-academy.com/en-us/mem/intune/protect/app-based-conditional-access-intune

https://video2.skills-academy.com/en-us/mem/intune/protect/app-based-conditional-access-intune-create

For Mobile devices - https://video2.skills-academy.com/en-us/mem/intune/apps/app-protection-policies

Important - How to control access from unmanaged devices - https://video2.skills-academy.com/en-us/sharepoint/control-access-from-unmanaged-devices

Hope this helps.

JS

==

Please Accept the answer if the information helped you. This will help us and others in the community as well.
Matt Pollock 246 Reputation points

2023-07-17T15:57:50.1166667+00:00

H Jimmy,

Many thanks for the reply and the suggestions - very useful.

I've just set up followed the setup procedure for the third link "Important - How to control access from unmanaged devices", and started testing with a corporate test account on my home pc.

If I login as the test user to the M365 profile page I am greeted with a "Your org doesn't allow you to download, print, sync etc..." banner on the OneDrive home page - great, seems to be working.

If I then send the test account an email with an attachment, the test account is still able to download the attachment, save it to OneDrive, print etc it via OWA. There are no restrictions.

Are there additional policies that need to be setup for this?

Thanks
JimmySalian-2011 42,071 Reputation points

2023-07-17T17:19:19.4033333+00:00

Hi Matt,

If you block access from unmanaged device ie: your home device in this case you should not be able to access Office Apps from this PC. The conditional Access policy should block it that this device is not allowed. Device compliance policy via CA should be implemented - https://video2.skills-academy.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-compliant-device
Matt Pollock 246 Reputation points

2023-07-18T09:15:34.2366667+00:00
Hi Jimmy,

Just to clarify the current status surrounding access:

the newly added Sharepoint CA policies are set to "Allow limited, web only access"

there is already a CA policy in place to control access to all cloud apps from devices that have IP addresses outside of the corporate range. The allowed ranges have been defined as exclusions in the policy. The policy allows access to non-corporate devices, but requires MFA to access any cloud apps.

This is working, however I can't see an obvious way to build on this policy which would only grant limited web only access in the same way as the Sharepoint policies do.

I guess what I'm asking is, are there separate policies that need to be created ( in Exchange EAC, Teams Admin Centre et al) to allow limited access to apps such as Teams, OWA, Outlook, Excel, Word etc in the same way that the Sharepoint polices have been created?

What I want to do is prevent users downloading/printing/sharing data from within Office 365 services when using non-registered devices (Windows/MacOS at this point).
This would be in addition to the original query, which was to prevent users adding personal services to their corporate O365 apps.

Both requirements to me, would appear to be two sides of the same coin from a logical perspective.

Thanks

1 answer

Matt Pollock 246 Reputation points

2023-07-25T19:53:35.38+00:00

Just to update this topic, I was able to achieve the objectives listed in the original question by amending:

-default OWA policy -

ConditionalAccessPolicy : ReadOnlyPlusAttachmentsBlocked

PersonalAccountCalendarsEnabled : False

AdditionalStorageProvidersAvailable : False

PersonalAccountsEnabled : False

-Sharepoint - limited access for unmanaged devices

-Amended conditional access policy in Azure - Use app enforced restriction
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

Prevent access to personal accounts from Office 365

1 answer