Forum Discussion
Conditional Access - Allow access to Teams, but block SharePoint Online
Hi APM123,
Yes, it is correct that SharePoint Online is a pre-requisite for Teams. Teams uses SharePoint Online to store and share files, as well as for some other features such as meeting recordings and transcripts.
This means that if you want to allow users to access Teams meetings on non-managed machines, you will need to exclude SharePoint Online from the Conditional Access policy for that group of users.
But, you can do this in a way that still prevents users from accessing SharePoint Online itself.
To do this, you can create a new Conditional Access policy that is specifically for Teams. This policy should exclude the SharePoint Online app, as well as any other integrated apps that you do not want users to access.
You can then target this policy to the same group of users as your existing Exchange Online policy. This will allow users to access Teams meetings on non-managed machines, but it will still prevent them from accessing SharePoint Online or any other integrated apps.
Here is how to do this:
- Create a new Conditional Access policy.
- Under Conditions, select Apps.
- Select Microsoft Teams, and then click Exclude.
- Under Assignments, select Users and groups.
- Select the group of users that you want to allow access to Teams meetings on non-managed machines.
- Click Select.
- Under Enforce access, select Grant access.
- Click Create.
Your new Conditional Access policy will now be in effect. Users in the targeted group will be able to access Teams meetings on non-managed machines, but they will still be prevented from accessing SharePoint Online or any other integrated apps.
Here are some useful links regarding your question:
- Microsoft Docs article on Conditional Access: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/
- Microsoft blog post on Conditional Access policies for Teams and SharePoint: https://learn.microsoft.com/en-us/sharepoint/authentication-context-example
- Microsoft Docs article on how to block access to SharePoint Online from unmanaged devices: https://learn.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices
- Microsoft Docs article on how to create a Conditional Access policy for Teams: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policies
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
Hi LeonPavesic
I've a similar scenario, but not quite 🙂 I'll try to be short about:
I need to disable sharepoint access (all files from all sites shared with them) to few specifics users, however when i enable the conditional access they also lose access to Teams application, as far as i've learned this i caused since the early-bound dependencies take place for the global Policy enforcement.
Is it possible to counter effect this by creating a new targeted policy for those user that grant access to Teams?
I'm actually gonna try this, i'll be back with the outcome.
Thanks- I'm trying to implement the same, did it work for you?
make sure these accounts do not have sharepoint access or drive access and just add those accounts in the policy exclusion nice and easy fix.
