Feb 05 2020
03:41 AM
- last edited on
Feb 10 2023
02:36 PM
by
TechCommunityAP
Feb 05 2020
03:41 AM
- last edited on
Feb 10 2023
02:36 PM
by
TechCommunityAP
I want to have a couple of users which are not able to use any of the Office 365 online services (like Planner, SharePoint, OneDrive). Therefore I created a security group with the members and a standard Office 365 E3 license and only Microsoft Teams as an application. But the user is still able to access all online services.
Feb 05 2020 12:21 PM
@Thomas_Steibl, the last time I checked, access to SharePoint is granted to synced users by default. No licence required. It is that certain functionality of SharePoint is deprecated for licensed users.
What you need is to explicitly block access to SharePoint for users. What has worked for me in the past is
1- make sure none of the sites have blanket access (eg access to Everyone, or Everyone except external user)
2- Create a security group with all the users who should have access and grant that group access appropriately
Same goes with ODFB
Feb 05 2020 12:48 PM
@mrehmat okay thanks!
But why is it also possible to access planner for instance. Why is it even possible to select or deselect this application for users in the licensing process if it's available anyway???
Feb 10 2020 01:08 AM
@Thomas_Steibl You can block access for specific users with Azure AD Conditional Access. Regardless of their license status.
Feb 11 2020 01:27 AM
Feb 11 2020 02:02 AM
@Thomas_Steibl See attached screenshot. You can select all apps and then make exclusions if you want.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
Feb 11 2020 06:29 AM - edited Feb 11 2020 06:32 AM
Thanks @JanBakkerOrphaned! I created a policy to block all access and included all cloud apps and excluded Teams. Unfortunately I can't access any resources anymore (office.com or Teams App)...
Feb 11 2020 07:01 AM
@Thomas_Steibl Unfortunately this cannot be done for the Teams app, because Teams is also triggered when you use the Office 365 (preview), SharePoint and Exchange app.
Feb 11 2020 08:30 AM - edited Feb 11 2020 08:31 AM
Is there a way to restrict Browser access? For instance - it's fine if the user is within a Teams group where they are using Planner, but the user should not be able to open tasks.office.com...
A user should be able to use the Teams client but not the Teams browser interface.
Feb 12 2020 01:37 AM
@Thomas_Steibl Yes, you can also do this with conditional access.
You can restrict browser access for the apps you've selected. Users can still use the Desktop & Mobile clients. In order to do that, you can select Browsers from the Client app section under Conditions.
Be careful of what users and apps you select. You can easily lock yourself out ;)