Allowing Excel Desktop only to specific users outside trusted ip

Question

Allowing Excel Desktop only to specific users outside trusted ip

SM 0

We have implemented Conditional Access policies that restrict users from accessing Microsoft O365 applications outside of the demo environment (ex IP: 1.1.1.1), which has been added as an exception.

However, we have a requirement for a specific group of users to be excluded from this restriction. For these users, we would like to allow access only to Microsoft Excel, while keeping all other O365 applications restricted as per the existing policy.

Could you please confirm if this can be achieved through Conditional Access policies? If yes, kindly guide us on the recommended approach or configuration for implementing this requirement.

0 comments

2 answers

Your answer

Answer 1

Ryan-N 13,335 Microsoft External Staff Moderator

Hi @SM,

Welcome to the Microsoft Q&A forum.

Based on your description, I understand that you have created a Conditional Access policy that only allows users to access Office applications from approved IP addresses.

However, you would like to set up some exceptions, where certain users can still access the Excel application without being restricted by this policy, while other applications remain subject to the limitation.

I would like to provide the following information:

This request cannot be achieved because Conditional Access does not differentiate between individual applications (such as Word, Excel, or Outlook). Instead, the policy is typically applied to the entire Office suite.

Therefore, if you allow these users to access Excel without restrictions, the other applications in the Office suite will also not be restricted.

I hope this information is helpful

If you have any questions or need further assistance, please feel free to share them in the comments on this post so I can continue to support you.

I look forward to continuing the conversation.

If the answer is helpful, please click "Accept Answer" and kindly upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

SM 0 Reputation points

2026-05-18T06:14:01.3166667+00:00

Hi,

Thank you for the clarification regarding Conditional Access limitations with Office apps.

Could you please confirm if there is any alternative way to achieve this requirement using AppLocker, WDAC, or Intune application control policies?

The requirement is to allow only the Excel desktop app while restricting other Office desktop applications.

Thank you.
Ryan-N 13,335 Reputation points Microsoft External Staff Moderator

2026-05-19T17:55:46.6666667+00:00
Hi @SM,

Thank you for your response.

To help me provide more accurate and relevant information, could you please provide a few additional details:

Will these users be using a fixed computer, or will they be signing in to Excel on multiple different devices?

For example: will they be using a company-provided computer but accessing from different IP addresses, or will they be using multiple devices/computers to sign in?

I look forward to hearing from you.
Ryan-N 13,335 Reputation points Microsoft External Staff Moderator

2026-05-20T19:43:19.4633333+00:00

Hi @SM,

I would like to check in on the status of your issue—has it been resolved yet?

In my previous response, I asked you to provide some information so I could assist you better. Please kindly review and get back to me whenever you can.

Answer 2

Yes, this can be achieved with Conditional Access by using separate policies and careful scoping of users, apps, and locations.

High-level approach

Keep the existing “block outside trusted IPs” policy for most users.
Create a dedicated group for the special users.
Exclude that group from the existing block policy.
Create a new policy for that group that:
- Applies only when they are outside the trusted IP/location.
- Blocks all Office 365 apps except Excel.

Recommended configuration

Prepare user groups
- Create a security group (for example, CA-Excel-Only-Outside-TrustedIP) and add the specific users.
- Ensure emergency access/break-glass accounts and any Conditional Access exclusion group remain excluded from broad policies, as recommended.
Existing “block outside trusted IPs” policy
- In the existing policy that blocks access outside your demo environment:
  - Assignments → Users or workload identities
    - Include: All users (or your current scope).
    - Exclude:
      - Emergency access accounts.
      - Any Conditional Access exclusion group.
      - The new CA-Excel-Only-Outside-TrustedIP group.
- Assignments → Target resources / Resources (formerly cloud apps)
  - Include: All resources (or all cloud apps), as in the block example.
- Conditions → Location
  - Include: Any location.
  - Exclude: Your trusted/demo IP location (for example, 1.1.1.1 marked as a trusted location).
- Access controls → Grant
  - Block access.
- Start in Report-only mode, then move to On after validation, following the pattern in the block example policy.
New policy for the special users (Excel only outside trusted IP)
- Create a new Conditional Access policy.
- Assignments → Users or workload identities
  - Include: The CA-Excel-Only-Outside-TrustedIP group.
  - Exclude: Emergency access accounts and any global exclusion group if needed.
- Assignments → Target resources / Resources
  - Include: All resources (formerly “All cloud apps”).
  - Exclude: Office 365 (Microsoft 365) as a whole is not sufficient for per-app control, so use:
    - Include: All resources.
    - Exclude: All apps except Excel.
  Practically, this is implemented as:
  - Policy A (for this group):
    - Include: All resources.
    - Exclude: Excel.
    - Grant: Block access.
  - Policy B (for this group):
    - Include: Excel only.
    - Grant: Allow access (or require MFA / other controls as desired).
  Because Conditional Access evaluates multiple policies together, the combination results in:
  - Outside trusted IPs, this group is blocked from all apps by Policy A.
  - Excel is excluded from the block in Policy A and explicitly allowed by Policy B.
- Conditions → Location (both policies for this group)
  - Configure: Yes.
  - Include: Any location.
  - Exclude: Your trusted/demo IP location.
- Access controls
  - Policy A: Grant → Block access.
  - Policy B: Grant → Allow access (optionally with MFA or other controls).
Safety and lockout prevention
- Always exclude at least one admin/emergency account from broad “All users / All apps” policies to avoid lockout, as recommended.
- Consider using a Conditional Access exclusion group for temporary troubleshooting access and manage it with governance tools.
Deployment practice
- Put new policies in Report-only mode first to validate impact using sign-in logs and policy reports.
- After confirming that only Excel is allowed for the special group outside the trusted IP and all other apps are blocked, switch the policies to On.

This design uses:

User/group scoping and exclusions.
Location conditions (trusted vs non-trusted IPs).
Multiple policies with different app scopes and grant controls to achieve “Excel only” for a specific group outside trusted IPs.

References:

Share via

Allowing Excel Desktop only to specific users outside trusted ip

2 answers

Your answer