Device-based Conditional Access Policies Rolling out to First Release for SharePoint and OneDrive
Published Mar 09 2017 09:00 AM 9,161 Views



The collaboration landscape has changed, people expect to work across both boundaries and devices, to bring content with them versus bringing themselves to content.  Location, location, location is the best choice when buying or selling a home, but introduces new challenges when it comes to securing that content.  Ubiquitous connectivity and the proliferation of devices means responding to new security challenges.  SharePoint Online and OneDrive for Business are uniquely positioned to help you address these challenges...


Over the past several weeks we’ve introduced a variety of policies, to include location-based policies, that provide contextual controls at the user, location, device, and app levels and we’re excited to share you can now explore new device-based policies in First Release.


Conditional access provides the control and protection you need to keep your corporate data secure, while giving your people an experience that allows them to do their best work from any device.


Device-based policies allow you to allow or block access or challenge users with Multi-Factor Authentication, device enrollment, or password change.


Device-based policies for SharePoint Online and OneDrive for Business in First Release help administrators ensure data on corporate resources is not leaked onto unmanaged devices such as non-domain joined or non-compliant devices by limiting access to content to the browser, preventing files from being taken offline or synchronized with OneDrive for Business on unmanaged devices.


With conditional access you get the control you need to ensure your corporate data is secure, while your people roam freely between apps and devices, accessing your data in the cloud and on-premises.

Configured Device-based Policies in First Release Tenants

To being using device-based policies you must have your Office 365 Tenant set up for First Release.  


1.       In the SharePoint admin center, click device access.  

2.       Under Control access from devices that aren't compliant or joined to a domain, decide whether you want to limit web access or block all access, and then click the link to configure the policy in the Microsoft Azure portal.  


For detailed information on configuring these policies see also


Q:  Are there any license requirements to use these new policies?

A:  Yes.  An active Azure Active Directory Premium (P1) license in addition to Intune licenses are required.


Q:  Does the policy apply to existing sessions?

A:  No, policy applies to new sessions only.


Q:  Are there special considerations for files that do not support online viewing?

A:  Yes, by default files that can’t be viewed online (such as zip files) can be downloaded.  If you want to prevent download of these files onto unmanaged devices you can opt-in to block download of files that can’t be viewed on the web.  This will result in a read-only experience for the end users and customizations maybe affected.  


Q:  How do I protect content from being synchronized with OneDrive for Business or opened with the Office client or mobile apps.

A:  To prevent content from being synchronized with OneDrive for Business or opened with the Office client or mobile apps we recommend you re-use AAD CA policies to allow access only from managed devices.  For additional information refer to  For additional security on HBI data you should also consider using Azure RMS.

Version history
Last update:
‎Apr 28 2018 11:55 AM
Updated by: