Using AzureAD Conditional Access to block a Native App

Standard

Last week I was asked to research a scenario where the customer wants to block the use of a native app and only want to allow the browser experience from compliant devices. My first answer was that this was difficult to implement. But after looking into AzureAD Conditional Access it was relative easy to configure. In this series of blogposts I’m using Microsoft Teams as an example. I’m focusing on these scenario’s: The first scenario is blocking the Microsoft Teams Native App and only allow browser access to Microsoft Teams and the second scenario is to only allow the Microsoft Teams app and blocking the browser access.

From now I will only use the new portal in my blogposts, so if you want to know how to configure it in the old portal you need to research it yourself. I will focus in this blogpost on blocking the native app of Microsoft Teams and only allow browser access to Microsoft Teams. To achieve this result we need to create 2 Conditional Access policies. The 1st Conditional Access policy will block access through the Native App and the 2nd Conditional Access Policy will allow only browser access to Microsoft Teams. See below the steps to create the Conditional Access Policies:

  1. Go to https://portal.azure.com and click on Azure Active Directory. Then click on Conditional Access and click on New Policy.
  2. Give the policy a descriptive name and click Users and Groups to configure the users on which this policy will apply. If you’ve selected the users click on Done.

  3. Next step is to configure the Cloud App on which this policy will apply. In our scenario this is Microsoft Teams.

  4. Now configure the conditions for this policy. First select the platforms on which this policy should apply:

  5. Next is to select the Client Apps. Here you need to select the Mobile App and Desktop Apps:

  6. In the Access controls section choose the action to block access to be enforced for this policy:

  7. Last step is to enable the policy and create the policy.
  8. After creating the block policy the next step is to create the Allow browser access policy. The steps for creating this policy are the same except the following steps:

    Client Apps:

    Access controls – Grant:


  9. If you’ve create and enabled both policy you’re done.

So let’s see how this will look like on a Windows 10 MDM managed machine:

Microsoft Teams accessed by Microsoft Edge:

Microsoft Teams accessed the Teams App:

As you can see blocking Native Apps is possible with AzureAD Conditional Access and the needed policies are easy to configure.

2 thoughts on “Using AzureAD Conditional Access to block a Native App

    • Arjan Vroege

      I just randomly selected Microsoft Teams for this series of blogposts. And it was nice to demo.
      Regards, Arjan

Leave a Reply