Forum Discussion
Conditional Access - Allow access to Teams, but block SharePoint Online
We have Conditional Access policies in place that require everyone accessing any of our 365 apps to do so on a compliant device. This works great.
We have one small user group where it is required they have access to Exchange Online from non-managed machines. So we excluded them from the Conditional Access policy and created a new one specifically for this group that is identical, but excludes Exchange Online from the Conditional Access policy. This works great - their non-managed machines are blocked from everything except email.
But then a request has come in to also allow them to access Teams meetings on these machines. We don't want them to access SharePoint Online or any other integrated apps with SharePoint - this is purely so they can jump on a call on these machines.
But if Microsoft Teams is added as an excluded app in the policy, I can see in the AzureAD sign-in logs that it is continuing to match Microsoft Teams and applying the Conditional Access policy controls. Accessing Outlook continues to work just fine.
I'm making an assumption that perhaps access to SharePoint Online, or maybe even some other additional services, are a pre-requisite for Teams and that's why it's matching. But I haven't found out if this is the case by Googling. Does anybody know?
5 Replies
Hi,
I have a simular need, we have a department, and all workers in that department are part of one AD security group. we need to give them access to Teams only to allow them to join meetings and to host meeting. But need to block all access to SharePoint and oneDrive Data.
They are all on Managed devices, so was wondering if the steps and controls documented for UN-Manager device, can these be set in a way to be applied to Managed devices too?
(And if not why is this limited to un-managed only, what's the thinking here?)
Hi APM123,
Yes, it is correct that SharePoint Online is a pre-requisite for Teams. Teams uses SharePoint Online to store and share files, as well as for some other features such as meeting recordings and transcripts.
This means that if you want to allow users to access Teams meetings on non-managed machines, you will need to exclude SharePoint Online from the Conditional Access policy for that group of users.
But, you can do this in a way that still prevents users from accessing SharePoint Online itself.
To do this, you can create a new Conditional Access policy that is specifically for Teams. This policy should exclude the SharePoint Online app, as well as any other integrated apps that you do not want users to access.You can then target this policy to the same group of users as your existing Exchange Online policy. This will allow users to access Teams meetings on non-managed machines, but it will still prevent them from accessing SharePoint Online or any other integrated apps.
Here is how to do this:
- Create a new Conditional Access policy.
- Under Conditions, select Apps.
- Select Microsoft Teams, and then click Exclude.
- Under Assignments, select Users and groups.
- Select the group of users that you want to allow access to Teams meetings on non-managed machines.
- Click Select.
- Under Enforce access, select Grant access.
- Click Create.
Your new Conditional Access policy will now be in effect. Users in the targeted group will be able to access Teams meetings on non-managed machines, but they will still be prevented from accessing SharePoint Online or any other integrated apps.
Here are some useful links regarding your question:
- Microsoft Docs article on Conditional Access: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/
- Microsoft blog post on Conditional Access policies for Teams and SharePoint: https://learn.microsoft.com/en-us/sharepoint/authentication-context-example
- Microsoft Docs article on how to block access to SharePoint Online from unmanaged devices: https://learn.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices
- Microsoft Docs article on how to create a Conditional Access policy for Teams: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policies
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)Hi LeonPavesic
I've a similar scenario, but not quite 🙂 I'll try to be short about:
I need to disable sharepoint access (all files from all sites shared with them) to few specifics users, however when i enable the conditional access they also lose access to Teams application, as far as i've learned this i caused since the early-bound dependencies take place for the global Policy enforcement.
Is it possible to counter effect this by creating a new targeted policy for those user that grant access to Teams?
I'm actually gonna try this, i'll be back with the outcome.
Thanks- I'm trying to implement the same, did it work for you?
make sure these accounts do not have sharepoint access or drive access and just add those accounts in the policy exclusion nice and easy fix.
