By: Cristina Osorio Valenzuela – Product Manager 2 | Microsoft Endpoint Manager – Intune and Grace Picking - Sr. Product Manager | Azure Active Directory Identity
An optimal combination of Conditional Access policies and recommended SharePoint Online and Exchange Online settings can help secure access to corporate resources on personal devices while allowing employees to utilize Office 365 applications. By allowing employees to check their emails, collaborate in Teams, and work on Office documents, you can empower users to do what they need without sacrificing security.
Note: This scenario is intended for customers that have at least Premium P1 Azure Active Directory (Azure AD) licenses. Microsoft provides security defaults that ensure a basic level of security for those that do not have Azure AD Premium.
For a demonstration of the admin and user experience as described in this blog, see this video: https://aka.ms/browsercontrolsWindows/video.
Providing employees web access to Office 365 on their personal devices boosts productivity by allowing them the flexibility to check emails, collaborate in Teams, and work on Office documents securely from any location.
The following process will help you to set up a secure web access experience for Windows personal devices using Conditional Access and the Microsoft 365 admin capabilities.
1. Configure SharePoint to grant web access only and restrict print, download and synchronization of files from the browser.
Refer to SharePoint and OneDrive unmanaged device access controls for administrators to configure SharePoint Conditional Access policies.
Screenshot of the "Unmanaged devices" pane on the Access control screen in the SharePoint admin center.
This action will create two Conditional Access policies in your Azure AD tenant that can be modified to meet your organization’s needs and can be accessed in the Microsoft Endpoint Manager admin center, as seen below. Note that you can follow the documentation above for SharePoint or create a Conditional Access policy manually and add all the services you need.
Screenshot of the "Conditional Access" policies pane in Azure Active Directory.
These Conditional Access policies:
- Will be assigned to All Users by default. To modify the policies to target a specific group of users, see Users and groups in Conditional Access policies.
- Will not apply to unmanaged devices (devices that are non-compliant in Microsoft Intune or not hybrid Azure AD joined). So, it is important that all your Azure AD managed devices meet your compliance policies.
- Will allow you to disable printing, downloading, and syncing content when the app-enforced restrictions are checked on session controls. This setting applies to content from SharePoint Online and other applications or services that use SharePoint Online for file storage, such as OneDrive and Teams.
Screenshot showing an example warning message, “Your organization doesn’t allow you to download, print, or sync using this device,” on an example Microsoft Word document.
- To restrict download, print, and file sync from the browser, you will need to set the ConditionalAccessPolicy setting to ‘AllowLimitedAccess’ via Powershell. For instructions and more advanced configuration options see: Control access from unmanaged devices in Microsoft 365.
Screenshot of configuring the "ConditionalAcessPolicy" setting to "AllowLimitedAccess" in PowerShell.
- This policy will affect iOS, Android, Windows, and macOS. If you have already created policies for personal mobile devices, make sure this doesn’t conflict with them or exclude Android and iOS devices from the Conditional Access device platforms policies.
2. Configure Exchange Online to grant web access only.
We recommend that you also apply policies to other Office 365 apps. Conditional Access policies can be scoped to other applications, such as Exchange Online, as explained in Conditional Access in Outlook on the web for Exchange Online.
If you completed Step 1 above, we recommend you add Exchange Online to the Conditional Access policies to apply the same controls. Some PowerShell configuration is required for Exchange Online. Refer to Secure email recommended policies to complete the required steps for this policy to take effect.
3. Secure services not covered by session controls.
You might want to restrict web access to other services. If you are licensed for Microsoft Defender for Cloud Apps, you can leverage it to protect data with Conditional Access App Control by applying access and session controls. This guide shows you the steps to enable this through a Conditional Access policy.
4. If you cannot secure access to the services not covered by session controls, consider blocking them.
Conditional Access policies can be designed to grant access, limit access with session controls, or to block access. To build a Conditional Access policy, see: Plan a Conditional Access deployment, our deployment guide that walks you through setting up Conditional Access policies.
This article showed you how to configure SharePoint Online and Exchange Online to grant web access only for unmanaged personal devices. It also serves as a guide to configure the possible restrictions within browser access. The objective is to demonstrate some easy steps to boost your user’s productivity by leveraging your existing Azure AD and EMS licensing.
Stay tuned for Edge protection policies for Windows. This new capability is expected to be available later this year and would add an extra layer of control to what was explained in this article.
If you have any questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.