Conditional Access “limited access” policies for SharePoint are in public preview!
First published on CloudBlogs on Mar, 09 2017
Enabling productivity while securing data is the fine line IT pros walk today, and having the right tools to do it makes it that much easier. In the past, employees working from their personal devices was a recipe for leaked data.
But not anymore! Working with the SharePoint team, we've created a great new feature in the conditional access experience that I think you're going to love: the ability to limit a user's ability to download, print and sync based on the state of their device.
To tell you more about it, I've invited one of my program managers, Nitika Gupta, to write a blog, which you'll find below. Read up, try things out, and let us know what you think!
Alex Simons (Twitter:
Director of Program Management
Microsoft Identity Division
I'm Nitika Gupta, a Program Manager in the Identity Security and Protection team at Microsoft. Today we are announcing the public preview of a feature that will enhance security for SharePoint and OneDrive access while still helping maintain productivity.
Microsoft Intune and Azure Active Directory conditional access provides the ability to grant or block access to resources based on device state. This helps organizations ensure content doesn't get on to a machine that isn't encrypted, locked, secure from malware, etc. This is an important aspect of securing company data.
Unfortunately, not all devices can be managed. Sometimes people need to work from home computers, personal devices, or shared machines that aren't enrolled. Until now, this meant losing productivity by denying access to SharePoint altogether or allowing unsecured download of content. Because of this, IT admins struggle to find the balance when configuring policies to prevent data leakage of corporate resources while ensuring that employees remain productive.
But what if we could have great user productivity and maintain a great security posture? That's what the Secure, Productive Enterprise is all about – and why
I am thrilled to announce the public preview of the "
Limited Access to SharePoint and OneDrive"
Now you can allow access to SharePoint and OneDrive from an unmanaged device by granting browser-only access with download, print, and sync disabled. Users can stay productive, and you can be assured that when they sign off, no data is leaked onto the unmanaged device.
Let me show you how it works in Azure AD Conditional Access and SharePoint!
Configuring limited browser-only access to SharePoint and OneDrive is an easy two-step process. See our
limited access documentation
for more detailed instructions.
Tip: To prevent users from going around the browser policy and accessing resources from mobile and desktop applications on unmanaged devices, we recommend enabling Azure AD conditional access policy. This enables access from mobile and desktop apps only from a compliant or domain joined device.
Next, go to
in the SharePoint admin center and select the checkbox to "Allow limited access (web-only, without the Download, Print, and Sync commands)"
Note: It can take up to 15 minutes for policy changes to take effect.
End user experience
When accessing SharePoint and OneDrive from devices that are not compliant or domain joined, end users will see a warning banner explaining why their experience is limited.
We would love to hear your feedback! If you have any suggestions for us, questions, or issues to report, please leave a comment at the bottom of this post, or tweet with the hashtag #AzureAD.