Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Conditional Access “limited access” policies for SharePoint are in public preview!
Published Sep 07 2018 08:41 AM 34.8K Views
First published on CloudBlogs on Mar, 09 2017
Howdy folks, Enabling productivity while securing data is the fine line IT pros walk today, and having the right tools to do it makes it that much easier. In the past, employees working from their personal devices was a recipe for leaked data. But not anymore! Working with the SharePoint team, we've created a great new feature in the conditional access experience that I think you're going to love: the ability to limit a user's ability to download, print and sync based on the state of their device. To tell you more about it, I've invited one of my program managers, Nitika Gupta, to write a blog, which you'll find below. Read up, try things out, and let us know what you think! Best regards, Alex Simons (Twitter: @Alex_A_Simons ) Director of Program Management Microsoft Identity Division ---- Hi folks, I'm Nitika Gupta, a Program Manager in the Identity Security and Protection team at Microsoft. Today we are announcing the public preview of a feature that will enhance security for SharePoint and OneDrive access while still helping maintain productivity. Microsoft Intune and Azure Active Directory conditional access provides the ability to grant or block access to resources based on device state. This helps organizations ensure content doesn't get on to a machine that isn't encrypted, locked, secure from malware, etc. This is an important aspect of securing company data. Unfortunately, not all devices can be managed. Sometimes people need to work from home computers, personal devices, or shared machines that aren't enrolled. Until now, this meant losing productivity by denying access to SharePoint altogether or allowing unsecured download of content. Because of this, IT admins struggle to find the balance when configuring policies to prevent data leakage of corporate resources while ensuring that employees remain productive. But what if we could have great user productivity and maintain a great security posture? That's what the Secure, Productive Enterprise is all about – and why I am thrilled to announce the public preview of the " Limited Access to SharePoint and OneDrive" feature! Now you can allow access to SharePoint and OneDrive from an unmanaged device by granting browser-only access with download, print, and sync disabled. Users can stay productive, and you can be assured that when they sign off, no data is leaked onto the unmanaged device. Let me show you how it works in Azure AD Conditional Access and SharePoint!

Getting started

Configuring limited browser-only access to SharePoint and OneDrive is an easy two-step process. See our limited access documentation for more detailed instructions.
  1. First create an Azure AD Conditional access policy for SharePoint that applies only to browser client apps with "use app enforced restrictions" as the session control.
    Tip: To prevent users from going around the browser policy and accessing resources from mobile and desktop applications on unmanaged devices, we recommend enabling Azure AD conditional access policy. This enables access from mobile and desktop apps only from a compliant or domain joined device.
  2. Next, go to device access in the SharePoint admin center and select the checkbox to "Allow limited access (web-only, without the Download, Print, and Sync commands)"
Note:  It can take up to 15 minutes for policy changes to take effect.

End user experience

When accessing SharePoint and OneDrive from devices that are not compliant or domain joined, end users will see a warning banner explaining why their experience is limited.

Feedback

We would love to hear your feedback! If you have any suggestions for us, questions, or issues to report, please leave a comment at the bottom of this post, or tweet with the hashtag #AzureAD. Thanks, Nitika Gupta @_nitika_gupta
16 Comments
Copper Contributor

Can we enable some folks in the organization to share externally with full access? At the moment we have the "Limited Access to SharePoint and OneDrive" setup, but we need some users to share with external parties and allow them to have full rights to the shared document. How can we achieve this, having exceptions in a conditional policy does not seem to work.

 

Thanks,

 

Yes. You can exempt some users in aad policy. 

Deleted
Not applicable

Can we achieve below use case in SPO?

We need to allow few employees to share documents to external parties (customers/vendors/partners) through SPO, but we don't want external users to download the content, also we need to track the usage of the content for audit/investigation purpose

@Rafael Lopez-Uricoechea can help here. There is a feature to get sharing link with no downloads. 

Hi @Deleted. We recently released the ability to create sharing links to which block download. Our initial release allows you to do this for Office documents. Users can use the Share dialog and go into Link Settings. If the file is an Office document they'll see a "block download" option for the "Anyone" and "People in [organization]" link types. You can read more about it here.

 

We're also adding support to block download for the "specific people" option. That capability is rolling out right now and should complete over the next few weeks.

 

For auditing you can go to the Security and Compliance Center. You'll be able to see the sharing activities that have been going on, as well as auditing events for viewing/opening/editing/downloading files and more. You can learn more about auditing in Office 365 here.

Iron Contributor

Hi Guys. Interested in this limited access functionality.. I was thinking that this requirement could be met using RMS/IRM (but IRM documents can't be opened in the Online clients so it wasn't going to work).

 

Can you advise me on the following questions

 

1) Is the limited access SharePoint policy a global setting for ALL SharePoint.. is there ways to scope the limited access to a subset of users or subset of the sites? 

 

2) Also, the limited access policy , I'm assuming that if download is blocked then the ability to open e.g. a Word document from that site in the full client application is also blocked?

 

3) The list of blocked actions doesn't include "Upload" or "edit" so I'm assuming that standard SharePoint permissions apply for these actions. i.e. If I have edit permissions I can still modify the document in the Browser or upload a document?

 

Thanks Guys.

Copper Contributor

we use office 365 SharePoint product. we want achieve that users can view and download from SharePoint library on all compliant devices, while only can view SharePoint contents on personal devices-download  NOT allowed. we have enabled "allow limited, web only access" in SharePoint security control. it creates two conditional access policies in Intune device management. the problem we have is  it worked on compliant computers-can view and download via browser, but we couldn't open the SharePoint home page on personal computer with the error message:

Access Denied

Due to organizational policies, you can't download this resource from this untrusted device.
 
but we would like users can view the content, not block everything. 
 
I wonder if you have any suggestion to achieve this?
 
Thanks guys,
 

@Colm Counihan 

 

Please read this article for more details on this SharePoint capability: 

https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices?redirectSourcePath...

 

1) Is the limited access SharePoint policy a global setting for ALL SharePoint.. is there ways to scope the limited access to a subset of users or subset of the sites?    Yes... Read the article

 

2) Also, the limited access policy , I'm assuming that if download is blocked then the ability to open e.g. a Word document from that site in the full client application is also blocked? Yes

 

3) The list of blocked actions doesn't include "Upload" or "edit" so I'm assuming that standard SharePoint permissions apply for these actions. i.e. If I have edit permissions I can still modify the document in the Browser or upload a document? Yes

 

@Lifyy 

 

Are you using a  "Modern SharePoint" page? please mail me your screen of SPO error page and the settings page to samust@microsoft.com. 

Also did you use powershell?

 

Copper Contributor

We are receiving the same "Access Denied" error message when attempting to view a modern SharePoint site.  What is the solution?  We need to implement this conditional access policy in order to comply with our security requirements.

@Larry Haak : Please open a ticket with Microsoft with full details and fiddler trace and also screen shots of what is working and what is not working.  Share the ICM ticket number here. 

 

in parallel send me {samust@microsoft.com} an email with all attachments and copy Kangle Yu <kanyu@microsoft.com>

Copper Contributor

Hello,

 

Would like to know what are the conditions that needed to be selected when you are trying to enforce CA Policy for few users from AAD with Network Location-Based control of Sharepoint online / Onedrive.  Tried the below method but not sure this is all that is needed. Restriction is granular and needs to apply from any client App and device platform. Kindly help.

 

AAD CA Policy :-

Assignments

Users - Selected 

Cloud App - Office 365 SharePoint Online

Conditions - Device Platform - Any Device

                  - Client Apps - All

 

Access Controls

Session - Use app enforced restrictions

 

Corresponding Sharepoint Admin center CA setting

Select Network location, and turn on Allow access only from specific IP address ranges.

 

 

Copper Contributor

If everyone is on Basic License and we need to restrict the login location which only Premium License have it, can we just upgrade 1 license to have the restrictions or everyone needs to have the Premium license?

Brass Contributor

Hello Everyone, will there be an option eventually to allow downloads and printing, and only block sync for this limited access?

@PuneethK : Network location CA policy for each site is not available. You can apply network location restriction from SharePoint admin center but that applies to all of SharePoint and OneDrive and for all user. We are doing some work to comeup with such policies this year. 

@MariaYacaman : No there is no such plans

Version history
Last update:
‎Jul 24 2020 02:01 AM
Updated by: