Securing Office 365 with Conditional Access in the new Azure portal

Hello everyone,

I have been getting a lot of requests from my customers on how to use the new Azure Active Directory (AAD) Conditional Access (CA) controls to secure Office 365. The recently announced new conditional access capabilities in the new Azure portal provide more flexible and powerful polices to enable productivity while ensuring security.

For this post, I will provide instructions to allow access to Exchange Online only to trusted platforms. Keep in mind, these instructions can also be used to secure other Office 365 services as well as any 3rd party application integrated with Azure AD.

Scenario

Only allow trusted platforms to have access to Exchange Online. (In this example, the policies will block macOS and allow Android, iOS, Windows Phone, and Windows).

Requirements

IT Admin Walk-through - Creating the Azure Active Directory Conditional Access policies

Go to the new Azure AD Portal and login with a Global Administrator account. Click on "Conditional Access" in the AAD blade.

aad-ca2

Create a new policy and select a user or group of users. In this example, I created a new policy called “EXO Block macOS” and selected NestorW to test my policy.

Select “Office 365 Exchange Online”

exo-block-macos-cloud-app

Select the Conditions to Include “All platforms (including unsupported)”

exo-block-macos-device-include

Click on the “Exclude” tab and select Android, iOS, Windows Phone, and Windows. Click on Done and Done to save the Conditions options.

exo-block-macos-device-exclude

For Client apps, configure the option for Browser and Mobile apps and desktop clients.

exo-block-macos-conditions-client-apps

Lastly, select the controls to Block access. Enable the policy and click on Create.

exo-block-macos-enable

User Experience

First on Safari on Mac OS X, the user can go to portal.office.com and still get access to other O365 apps.

safari-screen-shot-office-portal

Once the user goes to Mail then access will be blocked.

exo-blocked-on-safari

User experience on Microsoft Office 2016 for Mac.  After a successful sign in the end user is prompted with an error message and is blocked.

outlook-macos-login-and-block

That's it! The end user can use Exchange Online on Android, iOS, Windows Phone, and Windows but will be blocked on macOS. I hope this was helpful. In my next post, I will document how IT can build policies to allow users access to Exchange Online using Office 2016 for Mac with MFA enabled. Please reach out to me if you have any questions.

Regards,
Rick Cajudo (Twitter: @rickcajudo)

References