Conditional Access

Table of Contents



Nowadays, security in the digital workplace extends beyond your organization's network. You want to know who your users are and what they do with organizational data. It's important that people see the right information and applications at the right time, resulting in a well-organized Workspace.

As an administrator, you can enable conditional access to applications, Shared tile groups, local Office applications in Workspace, but also in Azure/Microsoft 365. In this article, we explain how.


Configure MFA in Azure/Microsoft 365

There are two ways to configure Multi-factor Authentication (MFA) on Azure/Microsoft 365. You can set it up globally for the whole tenant or for the Workspace 365 oAuth application in Azure.

MFA is only supported when oAuth2 is set as Single Sign-On method (SSO) in Workspace 365. To learn how to configure oAuth2 as SSO option, click here.

Microsoft 365 tenant

To enable MFA for your whole Microsoft 365 tenant, follow this guide:
Set up multifactor authentication for Microsoft 365

Workspace 365 oAuth application in Azure

To enforce conditional access and set additional policies on the Workspace 365 Azure application, you can follow this guide:
What is Conditional Access?

Back to top


Conditional access on Shared tile groups and applications

There are four different conditions that you can set in Workspace 365:

  • Devices
  • Operating systems
  • Browsers
  • IP ranges

Enabling conditional access for Shared tile groups (click on the user/group icon in a tile group), allows Workspace administrators to control access in a more effective and efficient way. Perhaps you want to allow a certain group of people access to a Shared tile group from desktop devices, but deny access from mobile devices, and as a consequence, hide the tile group from their Workspace.

It's important that people see the right information and applications at the right time, resulting in a well-organized workspace. But think about which applications you want to show in Workspace and when. Enabling conditional access on applications can be done from the App store by editing the app. Here's an example:


Think of your users when enabling conditional access. Not everyone will understand that some apps can only be accessed under specified conditions and that they cannot open apps as expected subsequently. To avoid any confusion or questions, it is important to think about these terms and communicate with the employees beforehand. 

Visibility of applications

You can also determine the visibility of the application:

  • This is only relevant for 1x1 or 2x2 tile format.
  • The tile is gray and not clickable, or invisible.
  • When a gray tile is clicked, a notification appears explaining the set condition(s).

App maintenance

As an administrator, you can perform maintenance on applications from the App store, which will make it unavailable for a certain period of time.

When you set maintenance on applications, inform users beforehand. And when the time comes, include a message why the app is under maintenance. This leads to more understanding, more patience and less frustration among users.


Back to top



Photoshop: show as local app or remote app?

There are several ways to access the app Photoshop. You can invoke the app locally via the Local App Launcher, or you can make the same app available as a 'remote app' (Clientess RDP). When an employee is working from a different location and on a different device, you can make Photoshop available as a remote app. You hide the local Photoshop app and only show the remote app. The employee will not notice the difference and can still open the same application as expected.

Block access from unsecure network locations and/or unsupported devices

At this moment, you cannot set conditional access policies for managed and/or unmanaged devices. This is something we are investigating. 

Conditional access makes it possible to block access to applications from unsupported devices and/or unsecure network locations, such as public Wi-Fi networks in a train or a bar. If you want to show a healthcare professional that it is not safe to open patient records on a public Wi-Fi network or on their phone, set conditions for IP range* and/or device type for such applications and make the tile gray. If they click on the tile, a notification appears on the set condition(s). 

*With IP ranges you can choose on which IP range(s) the app is available. This way you can make the app only available from trusted IP ranges e.g. the company network. This only works for external IP addresses, because we can only see external IP addresses from the Workspace webserver. You can view this on the support page in the Workspace. Also take into account if you're using a proxy server. 

Hide app when working from mobile device

Many people rely on their mobile phone for work. But you don't need to see every application, especially not on such a small screen. A lot of this information isn’t relevant at all times. As an admin, you can set conditional access to applications from the App Store in your workspace, so people see the correct information and applications at the right times. Set conditions so that they only see the relevant applications and that work well on mobile phones.

Browser restriction on application

Some apps are only accessible in specific browsers. You can still offer these applications regardless of your preferred browser. Inform the user about the set browser conditions when he or she clicks on the app. The user can switch browsers accordingly.

Back to top


Conditional access for local Office applications

For SharePoint and the file server(s), you can define on which IP range(s) launching local Office applications are available. For example, make it only available from trusted IP ranges (e.g. the company network) and outside this trusted IP range restrict users from opening documents with the local Office Editors.

For more information, go to:

Back to top