Allow or deny custom clients in Office 365 sign-on policy

You can filter specific clients in an Office 365 app sign-on rule to allow or deny them access to Office 365 resources. This filter is especially useful if you want to deny access to certain clients that you don't support or trust. Alternatively, you can use this filter to only allow clients you trust. It gives you more granular control over the clients that get access to your Office 365 app.

Best practices

Okta sign on policies evaluate information included in the User-Agent request header sent from the user’s browser. However, User-Agent can be spoofed by a malicious actor. To avoid this, Okta recommends the following practices:

  • Allow only trusted clients when creating the sign on policies.
  • Create one or more rules that specify the client type(s), device platform(s), and trust combinations that are allowed to access the app.
  • Require Device Trust or MFA to access the app. See Okta Device Trust solutions and Multifactor Authentication.

Start this procedure

In your Office 365 app:

  1. Go to the Sign On tab Sign On PolicyAdd Rule. An App Sign On Rule window pops up.

  2. In the Client section of If the user's client is any of these, select Custom.
  3. Enter the name of the client for which you want to allow or deny access. See About the custom client filter text box.

  4. Complete other sections as appropriate and click Save. See Get started with Office 365 sign on policies.
  5. Back in the Sign On Policy section, place this rule at an appropriate priority level. Okta evaluates each rule by priority and applies the first rule that matches.
  6. Repeat steps 1–5 for each custom client for which you want to allow or deny access.
Important Note

If you select both the Web Browser and Custom options for a sign-on rule under If the user's client is any of these, then the rule applies when either of the options is applicable.

About the custom client filter text box

  • Maximum 100 (256 for Identity Engine) characters are allowed.
  • Special characters are allowed.
  • Text is case insensitive.
  • White space (leading, trailing, or between words) is used verbatim. For example, WinWord (with leading and trailing white space), WinWord (without any white space), and Win Word are different.
  • Leaving the text box empty or only entering white-space results in an error.

This rule now filters the specified clients, applies other conditions and actions defined in the rule, and then allows or denies access to Office 365.

Related topics