SOLVED

Restrict Sharepoint access through Teams on mobile devices

Copper Contributor

Hi , is there a way to restrict access to SharePoint content through Teams interface (Files Tab) on unmanaged mobile devices. There is such a need as I want such users (on un managed devices) to access Teams for calls/video and may be chat but not to access SharePoint fIles and folders and maybe similarly not the Onedrive  files. 

 

Have enforced conditional access and also as SharePoint admin blocked access to SharePoint from unmanaged devices but it still doesn't seem to restrict the access.  

5 Replies
You can control this from the SP admin center to be reflected for both OD4B and SharePoint through the SP admin center, and you can have more control over the options available through AAD. Follow this article for more info:

https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices

@derhallim Thanks for the response. However, this is something we have already done. Result is that users from unmanaged devices are still able to access through Teams (Files Tab) all the files and folders that reside in SharePoint sites. Requirement is to block access to  SharePoint while allowing MS Teams for communication, i.e., chat, meeting , video calls. Cant think that there is a gap in Microsoft's access policies for Teams and SharePoint....

best response confirmed by AVVerifile (Copper Contributor)
Solution

@AVVerifile 

 

We managed to achieve this with a separate Conditional access policy which excluded any hybrid joined device or compliant device.  Coupling this with an app protection policy to prevent any potential data leakage via copy paste etc for teams means that we have users with unmanaged devices accessing teams but not being able to potentially leak data/ access documents on devices outside of the organisation.

 

Users and groups 

specify your scope here of whom you wish for this policy to apply to.

 

Cloud apps or actions 

Include only sharepoint online 

 

Conditions 

 Device platform 

Any device - This is so it affects if a user tries to access sharepoint content via any unmanaged device.

Locations 

Any location  - did not include trusted locations due to not wanting an unauthorized device being able to access this inside the corporate network.

Client apps 

Include both browser and mobile apps and desktop clients. only tick box excluded was apply policy only to supported platforms. 

Device state 

Include all device state but exclude compliant and hybrid joined devices from this policy

Access controls

block access

 

Cheers

Will 

 

 

 

I had a similar request a time ago - the result was, that it is not possible. Due to the so called „service dependency“, if you block one service which is used by teams, the whole app will be blocke. …

But I will give it another try with Wills suggestions.
How have you advanced this policy now that Device State is deprecated?
1 best response

Accepted Solutions
best response confirmed by AVVerifile (Copper Contributor)
Solution

@AVVerifile 

 

We managed to achieve this with a separate Conditional access policy which excluded any hybrid joined device or compliant device.  Coupling this with an app protection policy to prevent any potential data leakage via copy paste etc for teams means that we have users with unmanaged devices accessing teams but not being able to potentially leak data/ access documents on devices outside of the organisation.

 

Users and groups 

specify your scope here of whom you wish for this policy to apply to.

 

Cloud apps or actions 

Include only sharepoint online 

 

Conditions 

 Device platform 

Any device - This is so it affects if a user tries to access sharepoint content via any unmanaged device.

Locations 

Any location  - did not include trusted locations due to not wanting an unauthorized device being able to access this inside the corporate network.

Client apps 

Include both browser and mobile apps and desktop clients. only tick box excluded was apply policy only to supported platforms. 

Device state 

Include all device state but exclude compliant and hybrid joined devices from this policy

Access controls

block access

 

Cheers

Will 

 

 

 

View solution in original post