{"id":19049,"date":"2023-03-17T02:15:57","date_gmt":"2023-03-17T02:15:57","guid":{"rendered":"https:\/\/www.insentragroup.com\/nz\/?p=19049"},"modified":"2023-08-21T16:40:37","modified_gmt":"2023-08-21T16:40:37","slug":"restrict-external-access-to-apps-desktop","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/nz\/insights\/geek-speak\/secure-workplace\/restrict-external-access-to-apps-desktop\/","title":{"rendered":"Restrict External Access to Apps &#038; Desktop"},"content":{"rendered":"\n<p>I have been working on several M365 related security projects recently. These primarily consisted of increasing the organisations security posture and working towards a Zero Trust architecture. For everything you need to know about Zero Trust please take a look at the <a href=\"https:\/\/www.insentragroup.com\/nz\/lp-the-ultimate-guide-to-zero-trust\/\" target=\"_blank\" rel=\"noreferrer noopener\">Insentra Ultimate Guide to Zero Trust<\/a>\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">REQUIREMENT<\/h2>\n\n\n\n<p>The customer (Contoso) is involved in external collaboration with many partners. This has become a critical business requirement for Contoso. Contoso have heavily invested in their <a href=\"https:\/\/www.insentragroup.com\/nz\/insights\/geek-speak\/secure-workplace\/what-is-information-architecture-and-why-do-you-need-it\/\" target=\"_blank\" rel=\"noreferrer noopener\">Information Protection<\/a> strategy, which Insentra assisted with, so they were happy they had the correct mechanisms in place to secure and protect their data. As a result, Contoso wanted to manage the method in which external users can access Contoso M365 services while protecting their data. Contoso wanted to allow external users to access their M365 services by only using a browser, all mobile apps and desktop clients should be blocked.&nbsp;&nbsp;<\/p>\n\n\n\n<p>To achieve this requirement, the solution was to create a <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/conditional-access\/overview\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Conditional Access<\/a> policy. As always, there are a few prerequisites that are needed before Contoso can achieve the desired solution&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Azure AD Premium P1<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">SOLUTION<\/h2>\n\n\n\n<p>To implement this solution you need to have one of the below Azure AD admin roles assigned to your account&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Conditional Access Administrator (least privilege)&nbsp;<\/li>\n\n\n\n<li>Security Administrator&nbsp;<\/li>\n\n\n\n<li>Global Administrator&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>All the configuration takes place within <a href=\"https:\/\/entra.microsoft.com\/#view\/Microsoft_AAD_IAM\/EntraNav.ReactView\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Microsoft Entra admin centre<\/a> &gt; Protect &amp; secure &gt; Conditional Access. To create this policy, please follow the below steps&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create a new policy<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"477\" height=\"276\" src=\"https:\/\/www.insentragroup.com\/nz\/wp-content\/uploads\/sites\/18\/2023\/03\/image-3.png\" alt=\"\" class=\"wp-image-19050\" srcset=\"https:\/\/www.insentragroup.com\/nz\/wp-content\/uploads\/sites\/18\/2023\/03\/image-3.png 477w, https:\/\/www.insentragroup.com\/nz\/wp-content\/uploads\/sites\/18\/2023\/03\/image-3-300x174.png 300w\" sizes=\"(max-width: 477px) 100vw, 477px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Give the CA policy an appropriate name, preferably in alignment with <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/architecture\/guide\/security\/conditional-access-framework\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Microsoft CA naming conventions<\/a>, for example, \u201cCA001: BLOCK &#8211; Block external users from downloading files in Office 365\u201d&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"375\" height=\"494\" src=\"https:\/\/www.insentragroup.com\/nz\/wp-content\/uploads\/sites\/18\/2023\/03\/image-4.png\" alt=\"\" class=\"wp-image-19051\" srcset=\"https:\/\/www.insentragroup.com\/nz\/wp-content\/uploads\/sites\/18\/2023\/03\/image-4.png 375w, https:\/\/www.insentragroup.com\/nz\/wp-content\/uploads\/sites\/18\/2023\/03\/image-4-228x300.png 228w\" sizes=\"(max-width: 375px) 100vw, 375px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Within Users &gt; Assignments select \u201cGuests or external users\u201d and all for &#8220;Specify external Azure AD organizations (preview)&#8221;&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"663\" height=\"434\" src=\"https:\/\/www.insentragroup.com\/nz\/wp-content\/uploads\/sites\/18\/2023\/03\/image-5.png\" alt=\"\" class=\"wp-image-19052\" srcset=\"https:\/\/www.insentragroup.com\/nz\/wp-content\/uploads\/sites\/18\/2023\/03\/image-5.png 663w, https:\/\/www.insentragroup.com\/nz\/wp-content\/uploads\/sites\/18\/2023\/03\/image-5-300x196.png 300w\" sizes=\"(max-width: 663px) 100vw, 663px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Within Cloud apps or actions &gt; Select apps and choose \u201cOffice 365\u201d. This will apply to all M365 services, if you require something more granular, for example, Exchange Online, then just select Exchange Online&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"681\" height=\"536\" src=\"https:\/\/www.insentragroup.com\/nz\/wp-content\/uploads\/sites\/18\/2023\/03\/image-6.png\" alt=\"\" class=\"wp-image-19053\" srcset=\"https:\/\/www.insentragroup.com\/nz\/wp-content\/uploads\/sites\/18\/2023\/03\/image-6.png 681w, https:\/\/www.insentragroup.com\/nz\/wp-content\/uploads\/sites\/18\/2023\/03\/image-6-300x236.png 300w\" sizes=\"(max-width: 681px) 100vw, 681px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Within Conditions &gt; Client apps select the following options&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"342\" height=\"619\" src=\"https:\/\/www.insentragroup.com\/nz\/wp-content\/uploads\/sites\/18\/2023\/03\/image-7.png\" alt=\"\" class=\"wp-image-19054\" srcset=\"https:\/\/www.insentragroup.com\/nz\/wp-content\/uploads\/sites\/18\/2023\/03\/image-7.png 342w, https:\/\/www.insentragroup.com\/nz\/wp-content\/uploads\/sites\/18\/2023\/03\/image-7-166x300.png 166w\" sizes=\"(max-width: 342px) 100vw, 342px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Lastly, within Access controls &gt; select Block&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"402\" height=\"271\" src=\"https:\/\/www.insentragroup.com\/nz\/wp-content\/uploads\/sites\/18\/2023\/03\/image-8.png\" alt=\"\" class=\"wp-image-19055\" srcset=\"https:\/\/www.insentragroup.com\/nz\/wp-content\/uploads\/sites\/18\/2023\/03\/image-8.png 402w, https:\/\/www.insentragroup.com\/nz\/wp-content\/uploads\/sites\/18\/2023\/03\/image-8-300x202.png 300w\" sizes=\"(max-width: 402px) 100vw, 402px\" \/><\/figure>\n\n\n\n<p>That is you good to go! I would recommend enabling this policy as \u201cReport-only\u201d for a few days and keep an eye on the logs to ensure the CA policy is behaving as you expect it. Once you have confirmed The CA policy is meeting your expectations, you can enable the policy to \u201cOn\u201d and external users can now only access M365 services using a browser which supports <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/architecture\/framework\/security\/design-identity-authentication\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Modern Authentication<\/a>.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Hopefully this has been informative and helpful! If you need any further clarification, or a no thrills chat, <a href=\"https:\/\/www.insentragroup.com\/nz\/contact\/\" target=\"_blank\" rel=\"noreferrer noopener\">contact us<\/a> at Insentra or read more of my <a href=\"https:\/\/www.insentragroup.com\/nz\/insights\/insights-search-results\/?author=Ross%20Kirk\" target=\"_blank\" rel=\"noreferrer noopener\">Insentra Insights<\/a>.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">CONCLUSION<\/h2>\n\n\n\n<p>In conclusion, the successful implementation of a Conditional Access policy allowed Contoso to meet their critical business requirement of securing their data while allowing external users to access M365 services via a browser. With Insentra&#8217;s assistance, Contoso was able to enhance their security posture and move towards a Zero Trust architecture. If you need similar help or want to learn more, contact Insentra or read their Insights. Don&#8217;t hesitate to take steps to strengthen your organisation&#8217;s security today.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">RELATED ARTICLES<\/h2>\n\n\n\n<p><a href=\"https:\/\/www.insentragroup.com\/nz\/insights\/geek-speak\/secure-workplace\/how-to-allow-only-work-account-access-to-apps-using-intune\/\" target=\"_blank\" rel=\"noreferrer noopener\">How to allow only work account access to apps using Intune<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.insentragroup.com\/nz\/insights\/geek-speak\/modern-workplace\/protecting-windows-virtual-desktop-wvd-with-okta-and-microsoft-azure-active-directory-conditional-access\/\" target=\"_blank\" rel=\"noreferrer noopener\">Protecting Windows Virtual Desktop (WVD) with OKTA and Microsoft Azure Active Directory Conditional Access<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.insentragroup.com\/nz\/insights\/geek-speak\/cloud-and-modern-data-center\/securing-and-optimising-access-to-azure-storage-accounts-with-azure-endpoints\/\" target=\"_blank\" rel=\"noreferrer noopener\">Securing and Optimising Access to Azure Storage Accounts with Azure Endpoints<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Learn how to block external users from accessing M365 mobile apps and desktop clients with a Conditional Access policy. Read our step-by-step guide now! <\/p>\n","protected":false},"author":121,"featured_media":19056,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[20],"tags":[],"class_list":["post-19049","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-workplace","entry"],"_links":{"self":[{"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/posts\/19049","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/users\/121"}],"replies":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/comments?post=19049"}],"version-history":[{"count":13,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/posts\/19049\/revisions"}],"predecessor-version":[{"id":21128,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/posts\/19049\/revisions\/21128"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/media\/19056"}],"wp:attachment":[{"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/media?parent=19049"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/categories?post=19049"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/tags?post=19049"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}