cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Online Services available even if there are no Licenses issued

Thomas_Steibl
Brass Contributor

‎Feb 05 2020 03:41 AM - last edited on ‎Feb 10 2023 02:36 PM by

‎Feb 05 2020 03:41 AM - last edited on ‎Feb 10 2023 02:36 PM by

Online Services available even if there are no Licenses issued

I want to have a couple of users which are not able to use any of the Office 365 online services (like Planner, SharePoint, OneDrive). Therefore I created a security group with the members and a standard Office 365 E3 license and only Microsoft Teams as an application. But the user is still able to access all online services.

Labels:
2,725 Views
1 Like
9 Replies
Reply
9 Replies
mrehmat

‎Feb 05 2020 12:21 PM

‎Feb 05 2020 12:21 PM

Re: Online Services available even if there are no Licenses issued

@Thomas_Steibl, the last time I checked, access to SharePoint is granted to synced users by default. No licence required. It is that certain functionality of SharePoint is deprecated for licensed users.
What you need is to explicitly block access to SharePoint for users. What has worked for me in the past is

1- make sure none of the sites have blanket access (eg access to Everyone, or Everyone except external user)

2- Create a security group with all the users who should have access and grant that group access appropriately

Same goes with ODFB

0 Likes
Reply
Thomas_Steibl

‎Feb 05 2020 12:48 PM

‎Feb 05 2020 12:48 PM

Re: Online Services available even if there are no Licenses issued

@mrehmat okay thanks!

 

But why is it also possible to access planner for instance. Why is it even possible to select or deselect this application for users in the licensing process if it's available anyway???

0 Likes
Reply
JanBakkerOrphaned

‎Feb 10 2020 01:08 AM

‎Feb 10 2020 01:08 AM

Re: Online Services available even if there are no Licenses issued

@Thomas_Steibl You can block access for specific users with Azure AD Conditional Access. Regardless of their license status.

1 Like
Reply
Thomas_Steibl

‎Feb 11 2020 01:27 AM

‎Feb 11 2020 01:27 AM

Re: Online Services available even if there are no Licenses issued

Can you explain that to me a little further?
Currently I don't see a chance to disable all online services besides Teams?! Since I can't select Teams individually?!
Thanks in advance.
0 Likes
Reply
JanBakkerOrphaned

‎Feb 11 2020 02:02 AM

‎Feb 11 2020 02:02 AM

Re: Online Services available even if there are no Licenses issued

@Thomas_Steibl See attached screenshot. You can select all apps and then make exclusions if you want. 

 

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview 

Preview file
123 KB
1 Like
Reply
Thomas_Steibl

‎Feb 11 2020 06:29 AM - edited ‎Feb 11 2020 06:32 AM

‎Feb 11 2020 06:29 AM - edited ‎Feb 11 2020 06:32 AM

Re: Online Services available even if there are no Licenses issuedlock

Thanks @JanBakkerOrphaned! I created a policy to block all access and included all cloud apps and excluded Teams. Unfortunately I can't access any resources anymore (office.com or Teams App)...

 

Annotation.png

0 Likes
Reply
JanBakkerOrphaned

‎Feb 11 2020 07:01 AM

‎Feb 11 2020 07:01 AM

Re: Online Services available even if there are no Licenses issuedlock

@Thomas_Steibl Unfortunately this cannot be done for the Teams app, because Teams is also triggered when you use the Office 365 (preview), SharePoint and Exchange app. 

 

 

 

JanBakker330_0-1581433256938.png

 

 

Preview file
12 KB
0 Likes
Reply
Thomas_Steibl

‎Feb 11 2020 08:30 AM - edited ‎Feb 11 2020 08:31 AM

‎Feb 11 2020 08:30 AM - edited ‎Feb 11 2020 08:31 AM

Re: Online Services available even if there are no Licenses issuedlock

Is there a way to restrict Browser access? For instance - it's fine if the user is within a Teams group where they are using Planner, but the user should not be able to open tasks.office.com...

A user should be able to use the Teams client but not the Teams browser interface.

0 Likes
Reply
JanBakkerOrphaned

‎Feb 12 2020 01:37 AM

‎Feb 12 2020 01:37 AM

Re: Online Services available even if there are no Licenses issuedlock

@Thomas_Steibl Yes, you can also do this with conditional access. 

 

You can restrict browser access for the apps you've selected. Users can still use the Desktop & Mobile clients. In order to do that, you can select Browsers from the Client app section under Conditions. 

 

Be careful of what users and apps you select. You can easily lock yourself out ;) 

 

JanBakker330_0-1581499946036.png

 

 

 

0 Likes
Reply