ANAVEM
EnglishFrancais
ANAVEM
Languagefr
How to Block Microsoft 365 Apps Using Conditional Access Policy

How to Block Microsoft 365 Apps Using Conditional Access Policy

Create and configure Microsoft Entra Conditional Access policies to block unauthorized access to Microsoft 365 applications from unmanaged or BYOD devices, securing your organization's cloud environment.

March 26, 2026 15 min
mediumconditional-access 10 steps 15 min

Why Block Microsoft 365 Access from Unmanaged Devices?

Unmanaged devices represent one of the most significant security risks in modern organizations. These devices—whether personal smartphones, home computers, or BYOD tablets—lack the security controls, compliance monitoring, and management oversight that corporate-managed devices provide. When employees access Microsoft 365 applications from these devices, they potentially expose sensitive corporate data to malware, data theft, and compliance violations.

Microsoft Entra Conditional Access policies provide a powerful Zero Trust approach to this challenge. By implementing device-based access controls, you can ensure that only compliant, managed devices can access your organization's Microsoft 365 environment. This tutorial walks you through creating comprehensive Conditional Access policies that block unauthorized device access while maintaining productivity for legitimate users.

What Changes Are Coming to Conditional Access in 2026?

Microsoft is rolling out significant updates to Conditional Access between March and June 2026. Previously, sign-ins requesting basic directory permissions (like email, offline_access, and openid scopes) could bypass certain policies with resource exclusions. Starting in 2026, these flows will now be subject to your Conditional Access policies, potentially triggering MFA requirements or access blocks that weren't enforced before.

This change strengthens security but requires careful policy review. Organizations should audit their existing policies and test the impact on applications that previously bypassed certain controls. The timing makes this tutorial particularly relevant—you'll learn to create robust policies that work effectively with these enhanced enforcement mechanisms.

How Does Microsoft Entra Conditional Access Protect Your Organization?

Conditional Access acts as the policy engine for Zero Trust security, evaluating multiple signals before granting access to resources. These signals include user identity, device compliance status, location, application being accessed, and real-time risk assessment. When a user attempts to access Microsoft 365 from an unmanaged device, the policy engine can detect this condition and automatically block access or require additional authentication steps.

The policies you'll create in this tutorial specifically target the most common attack vectors: unmanaged devices using modern authentication and legacy authentication protocols. By blocking these access paths, you significantly reduce your organization's attack surface while maintaining seamless access for users on managed, compliant devices.

Implementation Guide

Full Procedure

01

Access Microsoft Entra Admin Center and Navigate to Conditional Access

Start by signing into the Microsoft Entra admin center with your administrative credentials. This is where you'll create and manage all Conditional Access policies.

Open your web browser and navigate to https://entra.microsoft.com. Sign in using an account with Global Administrator, Security Administrator, or Conditional Access Administrator permissions.

Once logged in, navigate to the Conditional Access section:

  1. In the left navigation pane, expand Protection
  2. Click on Conditional Access

Alternatively, you can access this from the Microsoft 365 admin center by going to Admin centers > Identity > Conditional Access.

Pro tip: Bookmark the direct URL https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies for quick access to your Conditional Access policies.

Verification: You should see the Conditional Access overview page with any existing policies listed. The interface will show options to create new policies and manage existing ones.

02

Create a New Conditional Access Policy

Now you'll create a new policy specifically designed to block Microsoft 365 access from unmanaged devices. This policy will serve as your primary defense against unauthorized device access.

In the Conditional Access dashboard:

  1. Click New policy at the top of the page
  2. In the Name field, enter a descriptive name: Block M365 Apps from Unmanaged Devices

The policy name should be clear and descriptive so other administrators understand its purpose at a glance.

Warning: Always use descriptive policy names. Generic names like "Policy 1" or "Test Policy" can lead to confusion and accidental modifications in production environments.

Leave the policy in the default state for now - we'll configure all settings before enabling it.

Verification: You should see a new policy creation page with sections for Assignments, Conditions, and Access controls. The policy name should appear at the top of the configuration page.

03

Configure User and Group Assignments

Configure which users and groups this policy will apply to. For maximum security, you'll typically want to apply this to all users while excluding emergency access accounts.

In the Assignments section, click on Users and groups:

  1. Under Include, select All users
  2. Under Exclude, click Select excluded users and groups
  3. Add your emergency access accounts (break-glass accounts) and any service accounts that need to bypass this policy
  4. Click Select to confirm your exclusions

Emergency access accounts are critical for maintaining access during policy conflicts or misconfigurations.

Pro tip: Create a dedicated security group called "CA-Emergency-Access" containing your break-glass accounts. This makes it easier to manage exclusions across multiple policies.

For initial testing, consider creating a pilot group with a few test users instead of applying to all users immediately.

Verification: The Users and groups section should show "All users" under Include and your emergency accounts under Exclude. The summary should display the total number of included and excluded users.

04

Select Target Microsoft 365 Applications

Configure which cloud applications this policy will protect. You'll target the Microsoft 365 suite of applications that users typically access from various devices.

In the Assignments section, click on Target resources:

  1. Ensure Cloud apps is selected
  2. Under Include, choose Select apps
  3. Click Select to open the application picker
  4. Search for and select Office 365 (this covers the entire Microsoft 365 suite)
  5. Alternatively, you can select individual apps like Microsoft Teams, SharePoint Online, Exchange Online, etc.
  6. Click Select to confirm your choices

The Office 365 selection is recommended as it provides comprehensive coverage of all Microsoft 365 applications with a single selection.

Warning: Be careful when selecting "All cloud apps" as this will include non-Microsoft 365 applications and could have unintended consequences for other business applications.

Verification: The Target resources section should display "Office 365" or your selected individual applications. You can click on the selection to verify which specific applications are included.

05

Configure Device and Client App Conditions

Set up the conditions that will trigger this policy. You'll configure device platforms and client applications to specifically target unmanaged device scenarios.

In the Conditions section, configure the following:

Device platforms:

  1. Click on Device platforms and set Configure to Yes
  2. Under Include, select Any device or choose specific platforms like Windows, iOS, Android

Client apps:

  1. Click on Client apps and set Configure to Yes
  2. Check Mobile apps and desktop clients to target native applications
  3. Optionally uncheck Browser if you want to allow web access from unmanaged devices
  4. Check Legacy authentication clients to block older protocols like IMAP, POP, and SMTP

Legacy authentication is commonly used by unmanaged devices and represents a significant security risk.

Pro tip: Start by blocking legacy authentication first, as it's the most common attack vector for unmanaged devices. You can create a separate policy specifically for this.

Verification: Both Device platforms and Client apps should show as "Configured" with your selected options visible in the summary.

06

Configure Device Compliance Conditions

Set up device compliance requirements to distinguish between managed and unmanaged devices. This step requires Microsoft Intune integration for device management.

In the Conditions section, click on Filter for devices:

  1. Set Configure to Yes
  2. Select Exclude filtered devices
  3. Click + Add filter
  4. Create a filter rule: device.isCompliant -eq True
  5. Name the filter: Compliant Devices

If you don't have Intune, you can use device state conditions:

  1. Click on Device state and set Configure to Yes
  2. Under Exclude, select Device Hybrid Azure AD joined and Device marked as compliant

This configuration ensures that only unmanaged (non-compliant, non-domain-joined) devices are blocked.

Warning: Without proper device filtering, you might accidentally block managed corporate devices. Always test with a pilot group first.

Verification: The device conditions should show as configured with your compliance requirements. Test the filter logic using the "What If" tool in Conditional Access.

07

Set Access Control to Block Access

Configure the policy action to block access when the conditions are met. This is the core security control that will prevent unmanaged devices from accessing Microsoft 365.

In the Access controls section, click on Grant:

  1. Select Block access
  2. Leave all other options unchecked
  3. Click Select to confirm

The block access control is absolute - when triggered, users will be completely denied access to the targeted applications.

You can also configure a custom block message:

  1. Scroll down to find Customize block message
  2. Enter a user-friendly message: Access denied: Please use a company-managed device to access Microsoft 365 applications. Contact IT support for assistance.
Pro tip: Include contact information in your block message so users know how to get help. This reduces support tickets and improves user experience.

Verification: The Grant section should show "Block access" as selected. Your custom message should appear in the configuration summary.

08

Enable Report-Only Mode for Testing

Before activating the policy, enable report-only mode to test its impact without affecting users. This crucial step prevents accidental lockouts and allows you to validate the policy logic.

At the bottom of the policy configuration page:

  1. Under Enable policy, select Report-only
  2. Click Create to save the policy

Report-only mode will log what would happen if the policy were active without actually blocking access.

Monitor the policy for at least 24-48 hours:

  1. Go to Monitoring > Sign-in logs in the Entra admin center
  2. Filter by your policy name to see triggered events
  3. Review the Conditional Access tab in sign-in details

Look for entries showing "Report-only" status to understand which users and devices would be affected.

Warning: Never skip the report-only testing phase. Even experienced administrators can create policies that have unintended consequences.

Verification: The policy should appear in your Conditional Access policies list with "Report-only" status. Sign-in logs should show policy evaluations without actual blocking occurring.

09

Activate the Policy and Monitor Results

After validating the policy in report-only mode, activate it to begin blocking unmanaged device access. Continue monitoring to ensure it works as expected.

To activate the policy:

  1. Return to Protection > Conditional Access
  2. Click on your policy name to edit it
  3. Change Enable policy from Report-only to On
  4. Click Save

The policy is now active and will block access from unmanaged devices.

Monitor the policy effectiveness:

  1. Check Monitoring > Sign-in logs regularly
  2. Look for "Failure" entries with "Conditional Access" as the failure reason
  3. Use the Insights and reporting section for policy impact analysis

You can also use PowerShell to export policy details for documentation:

Install-Module Microsoft.Graph
Connect-MgGraph -Scopes "Policy.Read.All"
Get-MgIdentityConditionalAccessPolicy | Where-Object {$_.DisplayName -eq "Block M365 Apps from Unmanaged Devices"}
Pro tip: Set up automated alerts for unusual spikes in blocked sign-ins. This can help identify potential issues or attack attempts.

Verification: The policy status should show "On" in the policies list. Sign-in logs should show actual blocking events for unmanaged devices attempting to access Microsoft 365 applications.

10

Create Additional Legacy Authentication Block Policy

Create a supplementary policy specifically targeting legacy authentication, which is commonly used by unmanaged devices and represents a significant security risk.

Create a new policy for legacy authentication blocking:

  1. Click New policy again
  2. Name it: Block Legacy Authentication for All Apps
  3. Under Users and groups, select All users (exclude emergency accounts)
  4. Under Target resources, select All cloud apps

Configure the legacy authentication conditions:

  1. In Conditions > Client apps, set Configure to Yes
  2. Uncheck all options except Legacy authentication clients
  3. Under Access controls > Grant, select Block access

This policy specifically targets older authentication protocols like:

  • IMAP/POP3 email clients
  • SMTP authentication
  • Legacy Office clients
  • PowerShell modules using basic authentication
Warning: Legacy authentication blocking can affect legitimate applications. Inventory your environment first to identify any business-critical applications using legacy protocols.

Test this policy in report-only mode first, then activate it following the same process as the main policy.

Verification: Both policies should be active and visible in your Conditional Access policies list. Sign-in logs should show blocks for both unmanaged devices and legacy authentication attempts.

Frequently Asked Questions

What Microsoft licenses are required for Conditional Access policies?+
Microsoft Entra ID P1 or P2 licenses are required for most Conditional Access policies. P1 is included in Microsoft 365 Business Premium and provides basic policy capabilities. P2 offers advanced features like risk-based policies and access reviews. Some foundational security policies are available with the free tier, but they're limited in scope and customization options.
How can I test Conditional Access policies without blocking legitimate users?+
Always use report-only mode first, which logs what would happen without actually blocking access. Monitor sign-in logs for 24-48 hours to understand impact. Create pilot groups with test users before applying to all users. Use the 'What If' tool in the Entra admin center to simulate policy outcomes. Always exclude emergency access accounts to prevent complete lockouts.
What happens when multiple Conditional Access policies apply to the same user?+
All applicable policies are evaluated simultaneously, and the most restrictive outcome wins. If one policy requires MFA and another blocks access, the user will be blocked. Policies don't override each other—they're additive. This is why careful planning and testing are crucial when implementing multiple policies that might affect the same users or applications.
Can Conditional Access policies block legacy authentication without Microsoft Intune?+
Yes, you can block legacy authentication without Intune by creating a policy that targets 'Legacy authentication clients' under client apps conditions. This blocks protocols like IMAP, POP3, SMTP, and older Office clients regardless of device management status. However, distinguishing between managed and unmanaged devices for modern authentication requires Intune or hybrid Azure AD join capabilities.
How do I troubleshoot users who are unexpectedly blocked by Conditional Access?+
Check the sign-in logs in Microsoft Entra admin center under Monitoring > Sign-in logs. Filter by the affected user and look for entries with 'Conditional Access' failure reasons. The logs show which specific policy blocked access and why. Use the 'Troubleshooting and support' section for detailed policy evaluation results. Consider temporarily adding the user to an exclusion group while investigating the root cause.
Tags
#conditional-access#microsoft-365#zero-trust

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Deploy Bitwarden Password Manager Using Microsoft Intune
tutorial
Cybersecurity

How to Deploy Bitwarden Password Manager Using Microsoft Intune

Deep Dive
How to Hide EULA During Windows Autopilot Deployment in Intune
tutorial
Cloud Computing

How to Hide EULA During Windows Autopilot Deployment in Intune

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account