Allow or deny custom clients in Office 365 sign on policy

This is an Early Access feature. To enable it, contact Okta Support.

You can filter specific clients in an Office 365 app sign on rule to allow or deny them access to Office 365 resources. This filter is especially useful if you want to deny access to certain clients that you do not support or trust. Alternatively, you can use this filter to only allow clients you trust. It gives you a more granular control over the clients that get access to your Office 365 app.

Best practices

Okta sign on policies evaluate information included in the User-Agent request header sent from the user’s browser. However, User-Agent can be spoofed by a malicious actor. To avoid this, Okta recommends the following practices:

  • Allow only trusted clients when creating the sign on policies.
  • Create one or more rules that specify the client type(s), device platform(s), and trust combinations that are allowed to access the app.
  • Require Device Trust or MFA to access the app. See Okta Device Trust solutions and Multifactor Authentication .

Start this procedure

In your Office 365 app,

  1. Go to the Sign On tab > Sign On Policy > Add Rule. An App Sign On Rule window pops up.
  2. In the Client section > If the user's client is any of these, select Custom.
  3. Enter the name of the client for which you want to allow or deny access. See the About the custom client filter text box section below.

  4. Complete other sections as appropriate and click Save. See Get started with Office 365 sign on policies.
  5. Back in the Sign On Policy section, place this rule at an appropriate priority level. Okta evaluates each rule by priority and applies the first rule that matches.
  6. Repeat Steps 1-5 for each custom client for which you want to allow or deny access.

This rule now filters the specified clients, applies other conditions and actions defined in the rule, and then allows or denies access to Office 365.

Important Note

Important

If you select both the Web Browser and Custom options for a sign on rule under the Client section > If the user's client is any of these, then the rule will apply when either of the options is applicable.

About the custom client filter text box

  • Maximum 100 characters are allowed.
  • Special characters are allowed.
  • Text is case insensitive. For example, WinWord, winword, and Winword are all treated alike.
  • Any white space - leading, trailing, or between words - is used verbatim. For example, WinWord (with leading and trailing white space), WinWord (without any white space), and Win Word are different.
  • Leaving the text box empty or only entering white space results in an error.