If you’re here, it because you’re seeing the error: “Your Office 365 admin has set a conditional access policy that restricts your access to Word Online”
This isn’t my typical area of focus, however I do work a lot with Azure, EMS, and Office 365 in general and a client brought this issue to my attention. Since Google and Bing yielded no results, I thought I’d blog it in case anyone else was searching for it.
In a nutshell, if you configure a Azure AD Conditional Access policy for Exchange Online, your ability to create documents directly from Word Online and Office Online in general becomes blocked. The error message you’ll receive, “Your Office 365 admin has set a conditional access policy that restricts your access to Word Online.” can be seen in the screenshot below.
Here’s the catch, it’s expected behavior and there’s nothing you can do about it at the moment. I have a case open with Microsoft and will update this post if I find more but right now you’re stuck. There are workarounds such as creating the documents directly from OneDrive, and this is noted in the error statement as seen, however that’s a whole user education issue that’s going to be troublesome. When setting up conditional access, you have access to a select group of cloud applications. Some applications, such as Office Online are actually bundled with Exchange Online so when you set access control on one, you’ve set access controls on them all. I’m presuming that since Word Online doesn’t re-prompt you for authentication, you’re not going to get your additional conditional access challenge and you’re simply blocked.
Again, my intention is the update this case if there’s any response from Microsoft as this is escalated other than “expected behavior”.