Home
Microsoft

Device-based Conditional Access Policies Rolling out to First Release for SharePoint and OneDrive

@williambaer

 

The collaboration landscape has changed, people expect to work across both boundaries and devices, to bring content with them versus bringing themselves to content.  Location, location, location is the best choice when buying or selling a home, but introduces new challenges when it comes to securing that content.  Ubiquitous connectivity and the proliferation of devices means responding to new security challenges.  SharePoint Online and OneDrive for Business are uniquely positioned to help you address these challenges...

 

Over the past several weeks we’ve introduced a variety of policies, to include location-based policies, that provide contextual controls at the user, location, device, and app levels and we’re excited to share you can now explore new device-based policies in First Release.

 

Conditional access provides the control and protection you need to keep your corporate data secure, while giving your people an experience that allows them to do their best work from any device.

 

Device-based policies allow you to allow or block access or challenge users with Multi-Factor Authentication, device enrollment, or password change.

 

Device-based policies for SharePoint Online and OneDrive for Business in First Release help administrators ensure data on corporate resources is not leaked onto unmanaged devices such as non-domain joined or non-compliant devices by limiting access to content to the browser, preventing files from being taken offline or synchronized with OneDrive for Business on unmanaged devices.

 

With conditional access you get the control you need to ensure your corporate data is secure, while your people roam freely between apps and devices, accessing your data in the cloud and on-premises.

Configured Device-based Policies in First Release Tenants

To being using device-based policies you must have your Office 365 Tenant set up for First Release.  

 

1.       In the SharePoint admin center, click device access.  

2.       Under Control access from devices that aren't compliant or joined to a domain, decide whether you want to limit web access or block all access, and then click the link to configure the policy in the Microsoft Azure portal.  

 

For detailed information on configuring these policies see also https://support.office.com/article/5ae550c4-bd20-4257-847b-5c20fb053622.

FaQ

Q:  Are there any license requirements to use these new policies?

A:  Yes.  An active Azure Active Directory Premium (P1) license in addition to Intune licenses are required.

 

Q:  Does the policy apply to existing sessions?

A:  No, policy applies to new sessions only.

 

Q:  Are there special considerations for files that do not support online viewing?

A:  Yes, by default files that can’t be viewed online (such as zip files) can be downloaded.  If you want to prevent download of these files onto unmanaged devices you can opt-in to block download of files that can’t be viewed on the web.  This will result in a read-only experience for the end users and customizations maybe affected.  

 

Q:  How do I protect content from being synchronized with OneDrive for Business or opened with the Office client or mobile apps.

A:  To prevent content from being synchronized with OneDrive for Business or opened with the Office client or mobile apps we recommend you re-use AAD CA policies to allow access only from managed devices.  For additional information refer to https://www.microsoft.com/en-us/cloud-platform/conditional-access.  For additional security on HBI data you should also consider using Azure RMS.

3 Comments

Very cool stuff @Bill Baer!! :-) Looking forward to work with it!

Interesting! thanks for the tips.

Contributor

This week on Tuesday, March 28, 2017 at 2:38 PM EDT, we started noticing issues maintaining connection between Office desktop applications and SharePoint Online.


The following day Microsoft Teams (Cloud and Desktop) could not find SharePoint Online site collections and all of our users were unable to "Open/Edit in [Office Product]".
OneNote could not sync to SharePoint Online sources. OneDrive sync tool kept loosing its brains. Visual Studio could not hold/keep work credentials. SharePoint Designer could not resolve to SPO site collections. 


Microsoft Office Online read and edit worked fine.

OneDrive for Business, Exchange Online and Skype for Business did not show the symptoms.

 

We tracked the problem down to this Configuration change rolled out into our tenanet.

 

Tracing showed login.windows.net was reporting "The user or administrator has not consented to use the application with ID..." with every application reporting the same id.

We found an article from Feb 28 announcing device access control being released into the Office 365 tenant with Block as the default for SharePoint Online.

https://reoffice365.com/new-device-access-section-in-the-sharepoint-online-administration-b827d08802...

We change the settings to "Allow" and while it took about 45 minutes to propagate through the system, all of our OAuth issues disipated.

 

Microsoft Teams could see SPO again, Edit in desktop apps worked again, 

 

We are now following up with Microsoft to find out why the Block stopped EVERYTHING authenticating with SharePoint Online and why everything reported the same Application ID.

 

Did anyone else run into this scenario?