SOLVED
Home

Condition Access Question

%3CLINGO-SUB%20id%3D%22lingo-sub-114127%22%20slang%3D%22en-US%22%3ECondition%20Access%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-114127%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20following%20business%20requirement.%3C%2FP%3E%3CP%3EOnly%20the%20devices%20issued%2Fapproved%20by%20IT%20departmernt%20should%20be%20able%20to%20access%20SharePoint%20Online.%20How%20can%20we%20acheive%20this%20using%20conditional%20or%20compliance%20policies%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20don't%20have%20on%20prem%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-114127%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-125927%22%20slang%3D%22en-US%22%3ERe%3A%20Condition%20Access%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-125927%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Christopher%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESharePoint%20access%20control%20did%20the%20job!%20However%2C%20I%20still%20have%20following%20questions%2Fdoubts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Why%20manually%20created%20conditional%20access%20policies%20were%20not%20working%20with%20same%20settings%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20Now%2C%20since%20I%20have%20this%20in%20place%20%26amp%3B%20working.%20How%20can%20I%20restrict%20only%20the%20IT%20admins%20to%20have%20capability%20to%20join%20Azure%20AD%3F%20A%20user%20can%20still%20join%20his%20home%20PC%20to%20Azure%20AD%20and%20conditional%20policy%20will%20allow%20him%20to%20access%20SharePoint.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.%20How%20will%20I%20make%20the%20same%20working%20for%20other%20apps%3F%20e.g.%20Exchange%20online.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-123137%22%20slang%3D%22en-US%22%3ERe%3A%20Condition%20Access%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-123137%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3EThe%20following%20article%20should%20help%20you%20set%20this%20up.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F03%2F09%2Fconditional-access-limited-access-policies-for-sharepoint-are-in-public-preview%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F03%2F09%2Fconditional-access-limited-access-policies-for-sharepoint-are-in-public-preview%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2FControl-access-from-unmanaged-devices-5ae550c4-bd20-4257-847b-5c20fb053622%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2FControl-access-from-unmanaged-devices-5ae550c4-bd20-4257-847b-5c20fb053622%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20in%20order%20for%20'Use%20App%20enforce%20restriction'%20session%20access%20control%20to%20work.%20You%20have%20to%20set%20your%20organization%20to%20'First-Release'%20for%20everyone.%20This%20will%20then%20update%20the%20sharepoint%20admin%20center%20access%20control%20page%20to%26nbsp%3Bset%20controls%20for%20sharepoint%20online%20access.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-117675%22%20slang%3D%22en-US%22%3ERe%3A%20Condition%20Access%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-117675%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20reply.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20%22Require%20domain%20joined%22%20setting%20doesn't%20work.%20It%20seems%20it%20applies%20to%20On%20prem%20domain%20joined%20only.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20use%20compliance%20condition.%20However%2C%20I%20don't%20want%20users%20to%20auto%20enroll.%20Only%20admin%20should%20be%20able%20to%20enroll.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-117511%22%20slang%3D%22en-US%22%3ERe%3A%20Condition%20Access%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-117511%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20your%20machines%20are%20AAD%20joined%20or%20registered%20then%20you%20can%20create%20a%20condition%20access%20policy%20that%20defines%20the%26nbsp%3B%3CEM%3E%3CSTRONG%3EWho-What-How%26nbsp%3B%20%3C%2FSTRONG%3E%3C%2FEM%3Eand%20grants%20access%20for%20domain%20joined%20machines.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWho%3A%20What%20users%20do%20you%20want%20the%20policy%20to%20apply%20to%20or%20exclude%3C%2FP%3E%3CP%3EWhat%3A%20The%20services%20you%20wish%20for%20the%20policy%20to%20apply%20to%3C%2FP%3E%3CP%3EHow%3A%20The%20method%20of%20accessing%20the%20service%20(app%20or%20web%20browser).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20312px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F22323i4D784EB9D841C162%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Granting.PNG%22%20title%3D%22Granting.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EI%20hope%20that%20makes%20sense.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-116709%22%20slang%3D%22en-US%22%3ERe%3A%20Condition%20Access%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-116709%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eyes%2C%20we%20use%20EMS%20E3%20(Intune%20and%20AD%20P1).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20please%20suggest%20how%20to%20make%20it%20work%20-%20Steps%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIdeanlly%2C%20we%20want%20to%20have%20a%20workflow%20like%20below.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Have%20a%20policy%20in%20place%20that%20allows%20only%20Azure%20AD%20joined%20machines%20to%20access%20SharePoint%20Online.%3C%2FP%3E%3CP%3E-%20Only%20Admins%20can%20join%20machines%20to%20Azure%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-116620%22%20slang%3D%22en-US%22%3ERe%3A%20Condition%20Access%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-116620%22%20slang%3D%22en-US%22%3EAre%20your%20computers%20all%20Azure%20domain%20joined%3F%20I%20would%20say%20Conditional%20Access%20is%20your%20friend%20for%20this.%20Do%20you%20use%20Intune%3F%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-115161%22%20slang%3D%22en-US%22%3ERe%3A%20Condition%20Access%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-115161%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20Vineet%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20aware%20of%20the%20following%20solution%2C%20there%20could%20be%20other%20options%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20find%20out%20if%20a%20device%20is%20issued%20by%20the%20org%2Fis%20compliant%20you%20would%20need%20a%20MDM%20solution%20like%20Intunes%20to%20find%20this%20information.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnce%20this%20is%20done%20you%20could%20leverage%20the%20azure%20ad%20conditional%20access%20policies%20to%20regulate%20the%20access.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Vineet Arora
Contributor

Hi,

 

We have following business requirement.

Only the devices issued/approved by IT departmernt should be able to access SharePoint Online. How can we acheive this using conditional or compliance policies?

 

We don't have on prem AD.

 

Thanks,

7 Replies
Highlighted

Hey Vineet,

 

I am aware of the following solution, there could be other options;

 

To find out if a device is issued by the org/is compliant you would need a MDM solution like Intunes to find this information.

 

Once this is done you could leverage the azure ad conditional access policies to regulate the access.

Are your computers all Azure domain joined? I would say Conditional Access is your friend for this. Do you use Intune?

Hi,

 

yes, we use EMS E3 (Intune and AD P1). 

 

Can you please suggest how to make it work - Steps?

 

Ideanlly, we want to have a workflow like below.

 

- Have a policy in place that allows only Azure AD joined machines to access SharePoint Online.

- Only Admins can join machines to Azure AD.

 

Thanks,

If your machines are AAD joined or registered then you can create a condition access policy that defines the Who-What-How  and grants access for domain joined machines.

 

Who: What users do you want the policy to apply to or exclude

What: The services you wish for the policy to apply to

How: The method of accessing the service (app or web browser).

 

Granting.PNG

I hope that makes sense.

Hi,

 

Thanks for your reply.

 

The "Require domain joined" setting doesn't work. It seems it applies to On prem domain joined only.

 

I am trying to use compliance condition. However, I don't want users to auto enroll. Only admin should be able to enroll.

 

Thanks.

Solution

Hi,
The following article should help you set this up.

 

https://cloudblogs.microsoft.com/enterprisemobility/2017/03/09/conditional-access-limited-access-pol...

 

https://support.office.com/en-us/article/Control-access-from-unmanaged-devices-5ae550c4-bd20-4257-84...

 

Also, in order for 'Use App enforce restriction' session access control to work. You have to set your organization to 'First-Release' for everyone. This will then update the sharepoint admin center access control page to set controls for sharepoint online access.

 

Hope this helps!

Hi Christopher,

 

SharePoint access control did the job! However, I still have following questions/doubts.

 

1. Why manually created conditional access policies were not working with same settings?

 

2. Now, since I have this in place & working. How can I restrict only the IT admins to have capability to join Azure AD? A user can still join his home PC to Azure AD and conditional policy will allow him to access SharePoint.

 

3. How will I make the same working for other apps? e.g. Exchange online.

 

Many thanks!

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies