🆕Protection against accessing company Microsoft 365 email via unauthorized email clients

Ensure that users will only be able to add their company Microsoft 365 accounts to approved and protected email clients.

Safetica excels at securing data from leaving controlled environments, but there are certain use cases where its capabilities can be complemented with other tools. 

 

Use case

Your company is using Microsoft Outlook protection to protect emails sent via Outlook. You want to ensure users can only add their company accounts into Outlook and no other email clients (e.g. Thunderbird).

 

Complement Safetica with

Microsoft Intune App protection policies + Microsoft Entra Conditional access policies.

Learn more about Intune App protection policies in Microsoft documentation.

Learn more about Entra Conditional access policies in Microsoft documentation.

 

Prerequisites

 

Microsoft Entra Conditional access policies:

  • Allow the user to sign in to their Microsoft account only when certain conditions are met.
  • Are available for Android and iOS.
  • Ensure that users on mobile devices will only be able to add their company Microsoft accounts to approved company apps protected by Intune App protection policies.
  • Do not require devices to be managed by Mobile Device Management (MDM).
  • Can be enforced for Microsoft 365 apps on both managed (company-owned) and unmanaged (personal/BYOD) devices.

When creating the first Entra Conditional access policy, you will be asked to turn off the security defaults for your tenant. You can learn more about security defaults in Microsoft documentation.

Example: Your company is using Microsoft Outlook protection to protect emails sent via Outlook and has an Intune app protection policy that blocks copying data from company mobile apps. Entra Conditional access policies can ensure that users won’t be able to add their company accounts into apps that are not protected by this Intune App protection policy.

 

Example: How to create an Entra Conditional access policy

(Last updated August 2024)

  1. Go to Microsoft Entra admin center and navigate to Conditional access, where you can create policies either from scratch or from a template.
  2. Microsoft offers the Require approved client apps or app protection policies template for this use case. It will ensure that users will not be able to use apps other than those protected by Intune App protection policies.
  3. By default, the Entra Conditional access policy is created as Report only. You must change its state to On.

We recommend testing the policy on a limited group before applying it to the whole company.

 

What will the users see

When a user tries to add their company Microsoft account to an unauthorized email client, they will be redirected to the Microsoft sign-in form and then informed that the account cannot be added.

 

Read next

Best practice: Complementing Safetica protection

Protecting Microsoft 365 data on mobile devices

Protection against adding non-Microsoft accounts into Outlook