<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z0000AKAcKoCQLOkta Classic EngineAuthenticationAnswered2025-03-24T22:40:17.000Z2025-03-12T00:02:37.000Z2025-03-24T22:40:17.000Z

JakeR.78774 (Customer) asked a question.

March 12, 2025 at 12:02 AM
Block Pre-Hires from O365 Email/Teams/Sharepoint/OneDrive BUT allow login to Intune managed PCs.

We have a policy where pre-hires can only access our HRIS before their start date, however they need to be able to login to Office 365 in order to login to their company issued devices that are behind O365/Intune.

I've been asked to try and block their ability to access Email/Teams/Sharepoint/Onedrive etc. but still allow them to login to their device.

I've ran into a wall using basic Auth policies so started diving into custom expressions for them but figured I'd ask the community before I try to reinvent the wheel in case this has been done before.

Notes:

  • We are on IE
  • We have pre-hires in a group
  • We have tested blocking client = web browser but Windows uses that for their login flow.
  • Blocking Modern Auth blocks the outlook client once they are in, but they could still login to the web version of everything.

 

(we're testing the same thing for Macs as well but the easy solve there is to move JAMF from behind Azure to Okta so it isn't reliant on Azure SSO anymore)

 

Thanks!

 

  • 2 answers
  • 289 views

  • Mihai Negoita - Okta (Okta, Inc.)

    Hi @JakeR.78774 (Customer)​ , Thank you for reaching out to the Okta Community! 

     

    I'm not familiar with this use case, but the only thing that I could think of is perhaps using licensing management to limit access to those resources if you have Provisioning to O365 configured with Okta. For example, have the users be assigned to O365 but with no licenses for Outlook/Team/etc., maybe that works.  

    That being said, I strongly recommend opening a case with the Okta Support team if you have an account with us, to go over your current configuration and options. They'll be able to access additional tools and resources to help you get to the bottom of it.  

     

     

     

     

    Regards.

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Level up your Identity security superpowers with Okta Learning.

    Join the Online Discussion for Ask me Anything on March 25, 2025: Identity Threat Protection with Okta AI

    Expand Post

  • JakeR.78774 (Customer)

    Hi Mihai,

     

    Sorry for my delay here. I'll go the support route. We need to assign licenses to pre-hires so their managers/team can invite them to meetings etc. before their start date so can't solve with that path after we looked into it.

     

    Thanks,

     

    Jake

    Expand Post
This question is closed.
Loading
Block Pre-Hires from O365 Email/Teams/Sharepoint/OneDrive BUT allow login to Intune managed PCs.