cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

My favorite Conditional Access policies to implement (part one) - Blog Post

MyronHelgering
Brass Contributor

‎Sep 26 2023 08:11 AM - edited ‎Sep 26 2023 08:11 AM

‎Sep 26 2023 08:11 AM - edited ‎Sep 26 2023 08:11 AM

My favorite Conditional Access policies to implement (part one) - Blog Post

A bit of light reading today, but still an important topic worth discussing: Conditional Access! If you’re not very experienced with implementing these policies, this post might help set you up in the right direction.

 

This post won’t dive to deeply into the subject, but rather provide a high-level overview of some of my favorite conditional access policies to implement. I’ll briefly explain the policy’s significance, provide guidance on configuring it, and offer preparation tips before implementation.

 

https://myronhelgering.com/my-favorite-conditional-access-policies-to-implement-part-1

 

1,862 Views
1 Like
12 Replies
Reply
12 Replies
Olf

‎Sep 29 2023 02:53 AM

‎Sep 29 2023 02:53 AM

Re: My favorite Conditional Access policies to implement (part one) - Blog Post

This comes exactly at the right time as I'm working on the initial setup for Conditional Access App Control Policies. Still reading throught it. Thank you!
1 Like
Reply
MyronHelgering

‎Sep 29 2023 04:04 AM

‎Sep 29 2023 04:04 AM

Re: My favorite Conditional Access policies to implement (part one) - Blog Post

No problem Olf, always happy to share!
0 Likes
Reply
Olf

‎Sep 29 2023 05:11 AM

‎Sep 29 2023 05:11 AM

Re: My favorite Conditional Access policies to implement (part one) - Blog Post

One question. Interestingly, you cannot control a user's ability to edit a document on Sharepoint with that it seems. I know I could try to do that with Sharepoint permissions but I was wondering. Did I miss something?
0 Likes
Reply
MyronHelgering

‎Sep 29 2023 05:25 AM

‎Sep 29 2023 05:25 AM

Re: My favorite Conditional Access policies to implement (part one) - Blog Post

No that is right! Session policies can do a lot in Microsoft 365 and other Cloud Apps, for example: Block downloads, block print, block cut or copy, block paste, put sensitivity labels on uploads etc.
But it cannot limit the permission to edit a document on SharePoint during a session from a unmanaged or non-compliant device. Maybe in the future! ;)
1 Like
Reply
Olf

‎Sep 29 2023 05:40 AM

‎Sep 29 2023 05:40 AM

Re: My favorite Conditional Access policies to implement (part one) - Blog Post

Is there any other way to achieve the following:
MS Teams connected Sharepoint site: Give guests view and members edit permissions for files in a library. Problem is: Guests and internal members are part of the same M365 group that is set as Site collection members, effectively granting guests edit permissions. Never liked that logic.
0 Likes
Reply
MyronHelgering

‎Sep 29 2023 06:48 AM

‎Sep 29 2023 06:48 AM

Re: My favorite Conditional Access policies to implement (part one) - Blog Post

Yeah I understand what you mean. That is unfortunately the disadvantage working with the Microsoft Teams default permission groups while adding guests to a Team.
You will have to work with the SharePoint advanced permissions and add the guests that way, but then the guests won't have access to the Teams anymore, or you could create a specific library or private channel within a team where the files will reside where guests will have view permissions (set from the SharePoint permissions).
0 Likes
Reply
Olf

‎Sep 29 2023 06:56 AM

‎Sep 29 2023 06:56 AM

Re: My favorite Conditional Access policies to implement (part one) - Blog Post

Yeah, I agree. No bueno in maintaining user permission management in two different apps. Thanks and keep up the good work.
1 Like
Reply
MyronHelgering

‎Sep 29 2023 06:57 AM

‎Sep 29 2023 06:57 AM

Re: My favorite Conditional Access policies to implement (part one) - Blog Post

No problem have a good day!
0 Likes
Reply
Olf

‎Oct 02 2023 03:41 AM

‎Oct 02 2023 03:41 AM

Re: My favorite Conditional Access policies to implement (part one) - Blog Post

Hey,
one thing I noticed is that using such a policy to restrict copy/paste/print seems to only work for the Word browser app, for example. Once a user clicks to edit the file in Word Desktop it stops working. Can you confirm that? Thanks.
0 Likes
Reply
MyronHelgering

‎Oct 02 2023 04:02 AM

‎Oct 02 2023 04:02 AM

Re: My favorite Conditional Access policies to implement (part one) - Blog Post

@Olf that is correct, session policies are meant to be for web sessions only! I would advise you to block access from desktop apps for unmanaged devices with Conditional Access or Access Policies. This way people are only able to work from the web, with the cut/copy/print restrictions active.

Another possibility is looking at MAM for Windows, with this you are able to set the same restrictions on an application level for desktop apps. Unfortunately there is no support yet for Office Desktop Apps besides Microsoft Edge at the moment. If you wanna know how it works, I'll leave a link here to my blog about this subject: First Look at MAM for Windows (myronhelgering.com)

0 Likes
Reply
Olf

‎Oct 02 2023 04:35 AM

‎Oct 02 2023 04:35 AM

Re: My favorite Conditional Access policies to implement (part one) - Blog Post

Bummer on the one hand but good news for the Future. Thanks for pointing that out and writing about :thumbs_up:
0 Likes
Reply
MyronHelgering

‎Oct 02 2023 04:37 AM

‎Oct 02 2023 04:37 AM

Re: My favorite Conditional Access policies to implement (part one) - Blog Post

No problem, good luck!
0 Likes
Reply