cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Home

Condition Access Question

%3CLINGO-SUB%20id%3D%22lingo-sub-114127%22%20slang%3D%22en-US%22%3ECondition%20Access%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-114127%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20following%20business%20requirement.%3C%2FP%3E%3CP%3EOnly%20the%20devices%20issued%2Fapproved%20by%20IT%20departmernt%20should%20be%20able%20to%20access%20SharePoint%20Online.%20How%20can%20we%20acheive%20this%20using%20conditional%20or%20compliance%20policies%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20don't%20have%20on%20prem%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-114127%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-125927%22%20slang%3D%22en-US%22%3ERe%3A%20Condition%20Access%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-125927%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Christopher%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESharePoint%20access%20control%20did%20the%20job!%20However%2C%20I%20still%20have%20following%20questions%2Fdoubts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Why%20manually%20created%20conditional%20access%20policies%20were%20not%20working%20with%20same%20settings%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20Now%2C%20since%20I%20have%20this%20in%20place%20%26amp%3B%20working.%20How%20can%20I%20restrict%20only%20the%20IT%20admins%20to%20have%20capability%20to%20join%20Azure%20AD%3F%20A%20user%20can%20still%20join%20his%20home%20PC%20to%20Azure%20AD%20and%20conditional%20policy%20will%20allow%20him%20to%20access%20SharePoint.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.%20How%20will%20I%20make%20the%20same%20working%20for%20other%20apps%3F%20e.g.%20Exchange%20online.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-123137%22%20slang%3D%22en-US%22%3ERe%3A%20Condition%20Access%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-123137%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3EThe%20following%20article%20should%20help%20you%20set%20this%20up.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F03%2F09%2Fconditional-access-limited-access-policies-for-sharepoint-are-in-public-preview%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F03%2F09%2Fconditional-access-limited-access-policies-for-sharepoint-are-in-public-preview%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2FControl-access-from-unmanaged-devices-5ae550c4-bd20-4257-847b-5c20fb053622%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2FControl-access-from-unmanaged-devices-5ae550c4-bd20-4257-847b-5c20fb053622%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20in%20order%20for%20'Use%20App%20enforce%20restriction'%20session%20access%20control%20to%20work.%20You%20have%20to%20set%20your%20organization%20to%20'First-Release'%20for%20everyone.%20This%20will%20then%20update%20the%20sharepoint%20admin%20center%20access%20control%20page%20to%26nbsp%3Bset%20controls%20for%20sharepoint%20online%20access.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-117675%22%20slang%3D%22en-US%22%3ERe%3A%20Condition%20Access%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-117675%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20reply.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20%22Require%20domain%20joined%22%20setting%20doesn't%20work.%20It%20seems%20it%20applies%20to%20On%20prem%20domain%20joined%20only.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20use%20compliance%20condition.%20However%2C%20I%20don't%20want%20users%20to%20auto%20enroll.%20Only%20admin%20should%20be%20able%20to%20enroll.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-117511%22%20slang%3D%22en-US%22%3ERe%3A%20Condition%20Access%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-117511%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20your%20machines%20are%20AAD%20joined%20or%20registered%20then%20you%20can%20create%20a%20condition%20access%20policy%20that%20defines%20the%26nbsp%3B%3CEM%3E%3CSTRONG%3EWho-What-How%26nbsp%3B%20%3C%2FSTRONG%3E%3C%2FEM%3Eand%20grants%20access%20for%20domain%20joined%20machines.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWho%3A%20What%20users%20do%20you%20want%20the%20policy%20to%20apply%20to%20or%20exclude%3C%2FP%3E%3CP%3EWhat%3A%20The%20services%20you%20wish%20for%20the%20policy%20to%20apply%20to%3C%2FP%3E%3CP%3EHow%3A%20The%20method%20of%20accessing%20the%20service%20(app%20or%20web%20browser).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20312px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F22323i4D784EB9D841C162%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Granting.PNG%22%20title%3D%22Granting.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EI%20hope%20that%20makes%20sense.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-116709%22%20slang%3D%22en-US%22%3ERe%3A%20Condition%20Access%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-116709%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eyes%2C%20we%20use%20EMS%20E3%20(Intune%20and%20AD%20P1).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20please%20suggest%20how%20to%20make%20it%20work%20-%20Steps%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIdeanlly%2C%20we%20want%20to%20have%20a%20workflow%20like%20below.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Have%20a%20policy%20in%20place%20that%20allows%20only%20Azure%20AD%20joined%20machines%20to%20access%20SharePoint%20Online.%3C%2FP%3E%3CP%3E-%20Only%20Admins%20can%20join%20machines%20to%20Azure%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-116620%22%20slang%3D%22en-US%22%3ERe%3A%20Condition%20Access%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-116620%22%20slang%3D%22en-US%22%3EAre%20your%20computers%20all%20Azure%20domain%20joined%3F%20I%20would%20say%20Conditional%20Access%20is%20your%20friend%20for%20this.%20Do%20you%20use%20Intune%3F%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-115161%22%20slang%3D%22en-US%22%3ERe%3A%20Condition%20Access%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-115161%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20Vineet%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20aware%20of%20the%20following%20solution%2C%20there%20could%20be%20other%20options%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20find%20out%20if%20a%20device%20is%20issued%20by%20the%20org%2Fis%20compliant%20you%20would%20need%20a%20MDM%20solution%20like%20Intunes%20to%20find%20this%20information.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnce%20this%20is%20done%20you%20could%20leverage%20the%20azure%20ad%20conditional%20access%20policies%20to%20regulate%20the%20access.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Vineet Arora
Vineet Arora
Contributor

‎10-06-2017 02:41 AM

‎10-06-2017 02:41 AM

Condition Access Question

Hi,

 

We have following business requirement.

Only the devices issued/approved by IT departmernt should be able to access SharePoint Online. How can we acheive this using conditional or compliance policies?

 

We don't have on prem AD.

 

Thanks,

993 Views
1 Like
7 Replies
Reply
7 Replies
Highlighted

‎10-10-2017 10:59 AM

‎10-10-2017 10:59 AM

Re: Condition Access Question

Hey Vineet,

 

I am aware of the following solution, there could be other options;

 

To find out if a device is issued by the org/is compliant you would need a MDM solution like Intunes to find this information.

 

Once this is done you could leverage the azure ad conditional access policies to regulate the access.

0 Likes
Reply
John Guy

‎10-14-2017 03:57 PM

‎10-14-2017 03:57 PM

Re: Condition Access Question

Are your computers all Azure domain joined? I would say Conditional Access is your friend for this. Do you use Intune?
0 Likes
Reply
Vineet Arora

‎10-15-2017 10:45 AM

‎10-15-2017 10:45 AM

Re: Condition Access Question

Hi,

 

yes, we use EMS E3 (Intune and AD P1). 

 

Can you please suggest how to make it work - Steps?

 

Ideanlly, we want to have a workflow like below.

 

- Have a policy in place that allows only Azure AD joined machines to access SharePoint Online.

- Only Admins can join machines to Azure AD.

 

Thanks,

0 Likes
Reply
Buddy Davies

‎10-17-2017 01:10 PM

‎10-17-2017 01:10 PM

Re: Condition Access Question

If your machines are AAD joined or registered then you can create a condition access policy that defines the Who-What-How  and grants access for domain joined machines.

 

Who: What users do you want the policy to apply to or exclude

What: The services you wish for the policy to apply to

How: The method of accessing the service (app or web browser).

 

Granting.PNG

I hope that makes sense.

0 Likes
Reply
Vineet Arora

‎10-18-2017 12:19 AM

‎10-18-2017 12:19 AM

Re: Condition Access Question

Hi,

 

Thanks for your reply.

 

The "Require domain joined" setting doesn't work. It seems it applies to On prem domain joined only.

 

I am trying to use compliance condition. However, I don't want users to auto enroll. Only admin should be able to enroll.

 

Thanks.

0 Likes
Reply
Christopher DelaTorre

‎11-01-2017 08:46 AM

‎11-01-2017 08:46 AM

Solution

Re: Condition Access Question

Hi,
The following article should help you set this up.

 

https://cloudblogs.microsoft.com/enterprisemobility/2017/03/09/conditional-access-limited-access-pol...

 

https://support.office.com/en-us/article/Control-access-from-unmanaged-devices-5ae550c4-bd20-4257-84...

 

Also, in order for 'Use App enforce restriction' session access control to work. You have to set your organization to 'First-Release' for everyone. This will then update the sharepoint admin center access control page to set controls for sharepoint online access.

 

Hope this helps!

Best Response confirmed by Vineet Arora (Contributor)
1 Like
Reply
Vineet Arora

‎11-09-2017 12:32 AM

‎11-09-2017 12:32 AM

Re: Condition Access Question

Hi Christopher,

 

SharePoint access control did the job! However, I still have following questions/doubts.

 

1. Why manually created conditional access policies were not working with same settings?

 

2. Now, since I have this in place & working. How can I restrict only the IT admins to have capability to join Azure AD? A user can still join his home PC to Azure AD and conditional policy will allow him to access SharePoint.

 

3. How will I make the same working for other apps? e.g. Exchange online.

 

Many thanks!

0 Likes
Reply
Related Conversations
Tabs and Dark Mode
 cjc2112 in Discussions on 09-18-2019
46 Replies
Security Community Webinars
 Valon_Kolica in Security, Privacy & Compliance on 10-22-2019
13 Replies
flashing a white screen while open new tab
 Deleted in Discussions on 10-05-2019
14 Replies
How to Prevent Teams from Auto-Launch
 chenrylee in Microsoft Teams on 06-27-2019
29 Replies
Stable version of Edge insider browser
 HotCakeX in Discussions on 10-12-2019
35 Replies
Extentions Synchronization
 Deleted in Discussions on 11-13-2019
3 Replies