My favorite Conditional Access policies to implement (part one) - Blog Post

Brass Contributor

A bit of light reading today, but still an important topic worth discussing: Conditional Access! If you’re not very experienced with implementing these policies, this post might help set you up in the right direction.

 

This post won’t dive to deeply into the subject, but rather provide a high-level overview of some of my favorite conditional access policies to implement. I’ll briefly explain the policy’s significance, provide guidance on configuring it, and offer preparation tips before implementation.

 

https://myronhelgering.com/my-favorite-conditional-access-policies-to-implement-part-1

 

12 Replies
This comes exactly at the right time as I'm working on the initial setup for Conditional Access App Control Policies. Still reading throught it. Thank you!
No problem Olf, always happy to share!
One question. Interestingly, you cannot control a user's ability to edit a document on Sharepoint with that it seems. I know I could try to do that with Sharepoint permissions but I was wondering. Did I miss something?
No that is right! Session policies can do a lot in Microsoft 365 and other Cloud Apps, for example: Block downloads, block print, block cut or copy, block paste, put sensitivity labels on uploads etc.
But it cannot limit the permission to edit a document on SharePoint during a session from a unmanaged or non-compliant device. Maybe in the future! 😉
Is there any other way to achieve the following:
MS Teams connected Sharepoint site: Give guests view and members edit permissions for files in a library. Problem is: Guests and internal members are part of the same M365 group that is set as Site collection members, effectively granting guests edit permissions. Never liked that logic.
Yeah I understand what you mean. That is unfortunately the disadvantage working with the Microsoft Teams default permission groups while adding guests to a Team.
You will have to work with the SharePoint advanced permissions and add the guests that way, but then the guests won't have access to the Teams anymore, or you could create a specific library or private channel within a team where the files will reside where guests will have view permissions (set from the SharePoint permissions).
Yeah, I agree. No bueno in maintaining user permission management in two different apps. Thanks and keep up the good work.
Hey,
one thing I noticed is that using such a policy to restrict copy/paste/print seems to only work for the Word browser app, for example. Once a user clicks to edit the file in Word Desktop it stops working. Can you confirm that? Thanks.

@colonel_claypoo that is correct, session policies are meant to be for web sessions only! I would advise you to block access from desktop apps for unmanaged devices with Conditional Access or Access Policies. This way people are only able to work from the web, with the cut/copy/print restrictions active.

Another possibility is looking at MAM for Windows, with this you are able to set the same restrictions on an application level for desktop apps. Unfortunately there is no support yet for Office Desktop Apps besides Microsoft Edge at the moment. If you wanna know how it works, I'll leave a link here to my blog about this subject: First Look at MAM for Windows (myronhelgering.com)

Bummer on the one hand but good news for the Future. Thanks for pointing that out and writing about 👍