Unmanaged Device Access Policies are Generally Available

Published May 01 2018 03:08 PM 18.5K Views

In March 2017 we introduced device-based policies for SharePoint and OneDrive, that enable administrators to configure Tenant-level policies.


Device-based access policies for SharePoint and OneDrive help administrators ensure corporate data is not leaked onto unmanaged devices such as non-domain joined or non-compliant devices by limiting access to the content to the browser, preventing files from being taken offline, printed, or synchronized with OneDrive.


On September 1st, 2017 we continued to evolve our conditional access investments to address the ever-changing security landscape and business needs by introducing new levels of granularity with conditional access that allow administrators to scope device-based policies at the site collection level.  In addition, this granular policy can be configured to allow users on unmanaged devices to edit Office Online documents in the browser.








Today we’re pleased to say that these policies are now available worldwide, in addition to new site-scoped policies that are available with this update.  This is our major milestone in the conditional access policy journey in SharePoint and OneDrive.


In a world that’s mobile, social, and about getting things done you’re expected to manage a growing number of devices, both managed and unmanaged that can access corporate content.  The corporate boundary as a result, has shifted from the firewall to the employee.  The need for protecting access from the unmanaged devices is ever increasing. This unmanaged device access policy is the right solution for your need.


What’s new in this update?

In this update to device-based policies at the site collection level you can:


  • Blocks users from accessing sites or the tenant from unmanaged devices
  • Allows users to preview only Office file types in the browser
  • Allows office file types to be editable or read-only in the previewer
  • Based on the sensitivity of a site's contents, admins can now set access control from unmanaged devices on different sites to be full access, limited access, or block access



In the demonstration above, the Tenant is configured with a permissive device access policy, allowing full access from unmanaged devices to include desktop apps, mobile apps, and browsers.  The Marketing site inherits the policy configured at the Tenant; however, the Legal site has a policy configured less permissive than that configured at the Tenant level.  In addition, members of the Marketing site, while limited to browser only access on unmanaged devices, can continue to edit content they have access to provide a seamless collaborative experience.


Configuring Device Access Policies Overview

For complete instructions on enabling device-access policies refer to the support documentation at



Unmanaged device access policies can be configured with SharePoint Online Management Shell.


Before you get started using PowerShell to manage SharePoint Online, make sure that the SharePoint Online Management Shell is installed and you have connected to SharePoint Online.



The Tenant-level device-based policy must be configured to Full Access prior to configuring site-scoped policies.


  1. Connect-SPOService -Url https://<URL to your SPO admin center>
  2. $t2 = Get-SPOSite -Identity https://<Url to your SharePoint online>/sites/<name of site collection>
  3. Set-SPOSite -Identity $t2.Url -ConditionalAccessPolicy AllowLimitedAccess

The following parameters can be used with -ConditionalAccessPolicy AllowLimitedAccess for both the organization-wide setting and the site-level setting:


-AllowEditing $false Prevents users from editing files in the browser and copying and pasting file contents out of the browser window.


-LimitedAccessFileType -OfficeOnlineFilesOnly Allows users to preview only Office files in the browser. This option increases security but may be a barrier to user productivity.


-LimitedAccessFileType -WebPreviewableFiles (default) Allows users to preview Office files and other file types (such as PDF files and images) in the browser. Note that the contents of file types other than Office files are handled in the browser. This option optimizes for user productivity but offers less security for files that aren't Office files.


-LimitedAccessFileType -OtherFiles Allows users to download files that can't be previewed, such as .zip and .exe. This option offers less security.


External users, because they most likely use unmanaged devices, access will also be controlled when you use conditional access policies to block or limit access from unmanaged devices. If users have shared items with specific external people (who must enter a verification code sent to their email address) and you want those external users to access shared items from their devices, then you can exempt them from this policy by running the following cmdlet.


Set-SPOTenant -ApplyAppEnforcedRestrictionsToAdHocRecipients $false



  1. This feature has a dependency on Azure Active Directory Conditional Access Policy. 
  2. To learn more about Azure Conditional Access policies work, refer to https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-po...
  3. For related SharePoint policies to prevent access from untrusted networks refer to https://support.office.com/en-us/article/Control-access-to-SharePoint-Online-and-OneDrive-data-based....



As workforces become more globally distributed and the productivity barrier extended beyond the firewall, device-access policies allow you to provide a seamless collaborative experience across an array of devices, both managed and unmanaged, while keeping your most sensitive content that way.  To learn more about security and compliance with SharePoint & OneDrive visit https://aka.ms/SharePoint-Security.


So I'm confused, is it on a per-site, or per-SC level? All the examples you use above are for "modern" sites, each powered by a full SC on the backend. The documentation also only talks about SCs, an we know that the SPO PowerShell module works on the SC level too. Perhaps you might want to make that clearer in the text? I've seen many folks asking specifically for "per-site" controls...


Also, any plans to expose the "per-site" config in the UI?


Other than that, kudos and congrats on the GA. I've been playing with the feature for a while now and showcasing it around, it's awesome. Me and few other MVPs have even requested the Exchange folks to follow your example and bring us similar controls for OWA, so I hope we will see this across all workloads in the future!

Occasional Contributor

How does it work with external users?


@Vasil Michev Policies are scoped at the site collection-level, there are no plans to enable policy configuration via the UX at this time.


@Jaymin Patel External users, because they most likely use unmanaged devices, access will also be controlled when you use conditional access policies to block or limit access from unmanaged devices

@Vasil Michev: OWA is coming up with similar controls later this year. 


@Jaymin Patel: If the guest uses are regular AAD guests then they will be subjected to policy as Bill mentioned. You can chose to exempt them via AAD policy.

Now that's an awesome news, thanks @Sanjoyan Mustafi

Occasional Contributor

I assume your definition of "managed mobile device" is ONLY Intune managed, correct?  We would love the ability to feed managed compliant device details to AAD Conditional Access rules from other MDM's if possible.

Occasional Visitor

Is SP on-prem apply to this solution?

No. This feature is SharePoint Online only

Occasional Visitor

any solution to control the user's ability to download the files from SP 2016? 

Occasional Contributor

Hi @Bill Baer 


We are currently testing this functionality now but it still seems MacOS users coming from unmanaged devices are still able to download files? 

Is this a glitch or is the feature not available for MacOS atm?



@Shanuj Patel: No there should not be any glitch. Please help us by describing the end to end scenario with steps. You can directly send me email at samust@microsoft.com. Thanks. 

Melissa Wong: No this feature is SharePoint Online only

Occasional Contributor

@Sanjoyan Mustafi- It looks like it's now working however, it took a couple of days to apply. As I applied the policy on the 24th of May and I still had logs of users downloading files on the 27th of May.






Has this feature been pulled? I cannot see the commands nor the documentation specified in the article. 



@Paul Bullock: You can find the details of this feature in link below and this feature is GA and used by thousands of customers today: 



New Contributor

@Sanjoyan Mustafi @Bill Baer Is there a known issue with text files? We have the tenant level setting on "WebPreviewableFiles" (the default) and our users are cannot view contents of text files. Is there any other options besides changing to the least restrictive "OtherFiles" ?

Version history
Last update:
‎May 04 2018 12:38 PM
Updated by: