Five things to know about the Office 365 app in Azure AD Conditional Access

After being in Public Preview since February 2020, Microsoft made the Office 365 app in Azure AD Conditional Access Generally Available.

The below image sums up what is in the Office 365 app:

Office 365 in Conditional Access

The Office 365 app helps with common challenges Microsoft 365 admins have:

  • All the individual services in the Office 365 Suite are covered by defining a single Conditional Access policy. Whether it’s SharePoint Online, Exchange Online, Teams, OneDrive for Business, Power BI, Visio for the Web, Yammer today, or all the new and renamed services tomorrow: It’s in the Office 365 Suite.
  • Inconsistent policies between different Office 365 services may result in end users being interrupted or blocked at unexpected times with additional security prompts. The Office 365 Suite app in Conditional Access takes care of all that… and, Yes, you can still set more restrictive policies for some services if need be.

 

Five things

However, there are five things you should know about the Office 365 app in Azure AD Conditional Access:

General Availability

After being in Public Preview since February 2020, Microsoft made the Office 365 app in Azure AD Conditional Access Generally Available on October 8th.

This is about services, not apps (per sé)

The Office 365 app in Azure AD Conditional Access governs access to services, like Microsoft Exchange Online and Microsoft SharePoint Online. It does not govern settings to apps on desktops, laptops and mobile devices. While you might think about the Office 365 Apps, please remember that these apps have been renamed to Microsoft 365 Apps for Enterprise, Microsoft 365 Apps for Education, etc.

The one exception is Office for the Web.

Documentation is fluid

The documentation on the feature is a bit spotty, but that’s understandable as there are many moving parts at the right of the dotted line above; Office 365 is a fluid set of services and functionality, that not every organization is able to use.

The Office 365 app in Azure AD Conditional Access is a collaboration between many product teams and divisions within Microsoft. Different strategies, roadmaps and agendas mean that not everything may be aligned just as well as you’d expect.

Not all services you expect may be included

Today, it appears Planner is not part of the Office 365 App in Conditional Access, but rest assured, that this is a problem that will be solved soon. Because of the fluidity of the Office 365 services, this will remain sort of an issue, but I expect it to be constrained to product renames that may take a while in the future and not omissions of entire services.

Not all Office 365 services might behave the same

As noted by Thijs Lecomte and Peter Daalmans, support for the Require app protection policy setting for Teams is currently in the works. This setting is available for other services that are part of the Office 365 App and may be governed through Conditional Access this way However, this setting is not available for Teams, yet.

Other functionality may also still be in the works. Your mileage may vary.

 

Concluding

The Office 365 App in Conditional Access allows admin to govern access policies for all Office 365 services with ease. As with all proper Conditional Access configurations, test your policies thoroughly, as there may be some hidden gems that were missed during the previews.

Further reading

If you aren't using the Office 365 suite config in your Conditional Access policies, I recommend it for simplified management, and so your users see fewer prompts  Conditional Access Office 365 Suite now in GA!
Conditional Access: Cloud apps or actions