SharePoint online - Full Access from unmanaged devices

%3CLINGO-SUB%20id%3D%22lingo-sub-2331396%22%20slang%3D%22en-US%22%3ESharePoint%20online%20-%20Full%20Access%20from%20unmanaged%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2331396%22%20slang%3D%22en-US%22%3E%3CP%3EGreetings%2C%20I%20need%20to%20achieve%20the%20below%20Goal%20but%20struggling%20to%20think%20of%20any%20other%20options%20to%20enable%20the%20desired%20behavior.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ETenant%3C%2FSTRONG%3E%3A%20Office%20365%20E3%3B%20SharePoint%20Online%20with%20100%2B%20sites%20and%20which%20currently%20has%20%E2%80%98Allow%20limited%2C%20web-only%20access%E2%80%99%20enabled%20for%20unmanaged%20devices%3C%2FP%3E%3CP%3E%3CSTRONG%3EGoal%3C%2FSTRONG%3E%3A%20Guests%20should%20be%20able%20to%20open%20and%20download%20documents%20on%20one%20of%20the%20sites.%3C%2FP%3E%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3ETesting%26nbsp%3B%20performed%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E1.%20There%20a%20number%20of%20articles%20suggesting%20one%20can%20run%20%3CEM%3ESet-SPOSite%20%3CA%20href%3D%22https%3A%2F%2F0365lt.sharepoint.com%2Fsites%2Fnabu%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%3CSPAN%3E-Identity%3C%2FSPAN%3E%3C%2FA%3E%20%5B%5D%20-ConditionalAccessPolicy%20AllowFullAccess%3C%2FEM%3E%20to%20enable%20full%20access%20on%20one%20site%2C%20those%20are%20misleading%2C%20what%20happens%20then%20is%20that%20all%20your%20SharePoint%20sites%20will%20be%20%E2%80%98unlocked%E2%80%99%20to%20Full%20Access%20regardless%20what%20the%20GUI%20for%20Unmanaged%20Devices%20suggests%20and%20every%20new%20sites%20created%20will%20be%20unlocked%20as%20well.%3C%2FP%3E%3CP%3ETo%20make%20this%20case%20work%2C%20the%20setting%20for%20unmanaged%20devices%20should%20be%20set%20to%20%26nbsp%3B%E2%80%98Allow%20full%20access%20from%20desktop%2C%20apps%2C%20mobile%20apps%E2%80%A6%E2%80%99%2C%20then%20run%20a%20script%20to%20lock%20all%20the%20existing%20sites%20(100%2B)%20back%20to%20%E2%80%98Allow%20limited%2C%20web-only%20access%E2%80%99%20except%20for%20one%20site.%20All%20new%20or%20%E2%80%98to%20be%20created%E2%80%99%20sites%20will%20also%20need%20to%20be%20scripted%20to%20maintain%20web-only%20access.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20Exclude%20SharePoint%20security%20group%20from%20existing%20Conditional%20Access%20policies%20created%20for%20SharePoint%20or%20the%20ones%20that%20enforce%20web-only%20access.%20Excluding%20the%20security%20group%20or%20even%20guests%20and%20external%20users%20options%20do%20not%20work%2C%20i.e.%20the%20site%20in%20question%20remains%20in%20web-only%20mode.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20could%20not%20think%20of%20any%20other%20option%2C%20so%20%231%20above%20remains%20the%20only%20valid%20one.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20come%20across%20the%20same%20requirement%20and%20how%20did%20you%20achieve%20it%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Greetings, I need to achieve the below Goal but struggling to think of any other options to enable the desired behavior. 

 

Tenant: Office 365 E3; SharePoint Online with 100+ sites and which currently has ‘Allow limited, web-only access’ enabled for unmanaged devices

Goal: Guests should be able to open and download documents on one of the sites.

 

Testing  performed:

1. There a number of articles suggesting one can run Set-SPOSite -Identity [] -ConditionalAccessPolicy AllowFullAccess to enable full access on one site, those are misleading, what happens then is that all your SharePoint sites will be ‘unlocked’ to Full Access regardless what the GUI for Unmanaged Devices suggests and every new sites created will be unlocked as well.

To make this case work, the setting for unmanaged devices should be set to  ‘Allow full access from desktop, apps, mobile apps…’, then run a script to lock all the existing sites (100+) back to ‘Allow limited, web-only access’ except for one site. All new or ‘to be created’ sites will also need to be scripted to maintain web-only access.

 

2. Exclude SharePoint security group from existing Conditional Access policies created for SharePoint or the ones that enforce web-only access. Excluding the security group or even guests and external users options do not work, i.e. the site in question remains in web-only mode.

 

I could not think of any other option, so #1 above remains the only valid one.

 

Has anyone come across the same requirement and how did you achieve it?

0 Replies