Blocking Personal Outlook and Gmail Accounts on Corporate Device
Hello Community, In my organization, we use the Microsoft 365 environment. We have a hybrid infrastructure, but we aim to deploy as many policies as possible through Microsoft 365 (Intune, Purview, Defender, etc.). One of our goals is to limit the use of corporate devices for personal purposes. We use Outlook as our corporate email service, and we would like to block employees from signing into their personal email accounts (either via web or desktop application). Additionally, we would like to block access to other email services, such as Gmail, both via web and desktop apps. Could you provide guidance on how to achieve this? I would greatly appreciate any help or suggestions. Thank you very much! Juan Rojas
Authenticator not displaying numbers on MacOS
I'm have an issue with MFA on a Mac (all the latest versions). We have conditional access policies in place, so once a day I'm prompted for MFA (I work off-site) and the Office app (e.g. Outlook, Teams) will create the pop-up window that 'should' display a number that I then match on my phone. My phone see's the push notification, but the Mac never creates the numbers in the first place. The pop-up is there, just no number. The workaround is: Answer 'its not me' on the phone On the Mac, select 'I can't use Authenticator right now' Tell the Mac to send a new request This time it creates the number and I can authenticate on the phone. It only appears to happen for the installed Office applications i.e. if I'm accessing applications/admin-centre via the browser, then the pop-up is within the browser and everything works first time. Is this a known issue?Anomalies with Conditional Access Policy "Terms of Use" Failures
Hello Microsoft Community, I'm reaching out with a bit of a puzzle regarding our "Terms of Use" Conditional Access policy, and I'm eager to tap into the collective wisdom here for some insights. In our Entra ID User Sign-In logs, we've identified intermittent "failure" entries associated with the "Terms of Use" Conditional Access policy. Interestingly, even for users who had previously accepted the "Terms of Use". There appears to be no discernible impact, and they continue their tasks without interruption. This observation became apparent during the troubleshooting of unrelated Surface Hub and Edge Sync issues at some client sites. What adds to the complexity of the situation is that for the same users, both before and after these "failure" entries, the Conditional Access policy is marked as "success". Hence, it doesn't seem to be a straightforward case of the policy erroneously detecting non-acceptance of the "Terms of Use". The mystery lies in understanding why these intermittent "failure" entries occur for users who have already accepted the terms, especially when the policy consistently reports "success" for the same users. Furthermore, the Insights for the "Terms of Use" Conditional Access policy show around 1.48k successes and 1.43k failures in the last 90 days, yet there's no discernible impact on user functionality. Observations: "Failure" entries in Sign-In logs don't seem to disrupt users' day-to-day activities. The ratio of successes to failures is balanced, yet users experience no noticeable problems. The issue complicates troubleshooting efforts but doesn't significantly affect the user experience. I'm turning to the community for guidance on interpreting and resolving this discrepancy between "failure" entries in the Conditional Access policy logs and the seemingly unaffected user experience. Any insights into why these failures occur without user impact would be greatly appreciated. For additional context, I've attached screenshots of a user's Sign-In log entry and the insight chart from the Conditional Access policy. Sign-In log of a user (failure): Sign-In log of same user (success): Current Conditional Access insights: Thank you in advance for your time and assistance. I look forward to any guidance or solutions you can provide. Best regards, Leon Tüpker
Only Outlook and Teams on Personal mobile devices
We are looking to let users access Outlook and Teams using their personal iOS and Android devices but not allow them to access the SharePoint side within the Outlook app. I have made two conditional access policies to accomplish this, but only the Outlook side of things is working. Teams won't let a user log in and are being blocked by the first Conditional access policy. First CA - Target Resources Include = Office 365 Exclude = Micorosft Teams Service, Office 365 Exchange Online - Conditions Device Platform = Android, iOS Filter for devices = device.deviceOwnership -eq "Personal" - Grant = Block access Second CA - Target Resources Include = Microsoft Teams Services, Office 365 Exchange Online -Conditions Device Platform = Android, iOS Filter for devices = device.deviceOwnership -eq "Personal" - Grant = Grant Access > Require device to be Marked compliant Can anyone help?
Allow use of One Time Password
Hello, We have setup Passwordless authentication using Conditional Access Policies, which is working great. The question I have is how can I setup the option to allow the use of the one time password (6 digit code in the authenticator) to be used when the mobile device is offline and cannot receive the number matching. For example, the user is in a plane and has purchased the use of WiFi for the laptop, but the phone is offline and want to use the 6 digit code from the authenticator.
Whenever login into the office applications different OTP needs to be applied Outlook and teams
When signing into Office applications, a different OTP is required for both Outlook and Teams. To address this issue, there is any resolution this issue supports or a supporting document as proof to confirm that this is a standard procedure.Using CBA with a device certificate on Windows Server
Hi, will it be possible to use CBA as "filter for devices" some day? e.g. A Windows Server which is not hybrid joined or managed by Intune could then be identified as a "valid device" which is allowed to access Admin portal. Like a RADIUS Auth. BR StephanNew Blog | Now available: Modernize your SAP environment with Microsoft Entra ID
By Melanie Maynes Building on our joint announcement with SAP earlier this year, we have now released guidance to help customers modernize their SAP environment and move their identity management scenarios from SAP Identity Management (SAP IDM) to Entra ID. With this documentation, SAP IDM customers can migrate seamlessly to the cloud-based IAM and identify the right partners that can assist. In February, SAP announced that the on-premises tool for managing identity would reach end-of-maintenance by 2030. We are honored that SAP has recommended Microsoft Entra ID, our cloud-based identity and access management solution, to facilitate a seamless migration and ongoing enterprise-wide identity and access management. Read the full post here: Now available: Modernize your SAP environment with Microsoft Entra ID
