0

So my company is using Microsoft 365 (E5 license). And we're leveraging "Microsoft Defender Cloud App Catalog" to block access to some "cloud apps".

However, it turned out that some people actually need access to the blocked cloud apps, which is doable using Defender's "Device Group".

Unfortunately, it seems one endpoint device can only be a member of exactly one Device Group, no more, no less.

That led me to set things up like this:

Venn Diagram of 2 sites access

Once I created the 3 Device Groups, on the "Unsanctioned" setting of Site A, I excluded the "CanA" and "CanAB" groups. Similarly for Site B, I excluded "CanB" and "CanAB" from the site's "Unsanctioned" settings.

Everything works acceptably, as expected.

However, it came to pass that there is now a THIRD site that needs similar treatment. This means the relation is now like this:

Venn diagram of 3 sites access

This is such a complexity! Not to mention that if in the future a fourth site needs the same treatment, the number of groups will grow out of control.

Is there a better way to leverage Microsoft 365 to provide what I want?

(If a device can be a member of multiple device groups, of course this is easily solvable. But the fact is, a device can only be a member of exactly one device group.)

pepoluan
  • 5,248

1 Answers1

0

You could also use Microsoft Entra/Azure AD Conditonal Access. In CA (Conditonal Access) you can add multiple groups as exclusion

Edit/Update

If the app doesn't exists you need to create an app manually

Here is an PowerShell script which checks if the app exists and if not creates the app and then creates the policy

# Install the required module if not already installed
Install-Module -Name Az -Force -AllowClobber

Connect to Azure AD


Connect-AzAccount


Define variables


$appName = "TelegramWeb" # You can change this to a suitable name
$identifierUri = "https://web.telegram.org/"
$application = Get-AzADApplication -DisplayName $appName


Check if the application exists


if (!$application) {
    # Create the application
    $application = New-AzADApplication -DisplayName $appName -IdentifierUris $identifierUri
}


Get the application ID


$applicationId = $application.ApplicationId


Create Conditional Access policy to block Telegram Web


New-AzAdPolicyConditionalAccessPolicy -Name "BlockTelegramWeb" -State "Enabled" -UsersAll $false -UsersIncludeGroups @("Group1", "Group2") -ApplicationsIncludeApplications $applicationId -GrantControlsIncludeGrantControls @("BlockAccess") -SessionControlsIncludeSessionControls @("UseConditionalAccessAppControl") -AccessControlsIncludeAccessControls @("Block")
Turdie
  • 2,945