Restrict access to documents on unmanaged devices in Microsoft 365
Previously, I wrote a blog post to block downloading O365 files on an unknown device. We did this with the preview option within conditional access of Azure AD. In SharePoint or OneDrive for business, this option also exists. In this blog, we will briefly go through the options and the differences. Also read definitely the Azure AD security standards and in 15 steps to a digital workplace with Microsoft 365 E3 or E5.
Why limit access? Today we use document data "differently" than we used to. We used to have one file server and handle document data relatively mature. It was not so obvious to share documents except by e-mail. Attachments could not be large, often up to 10 mb. Today there is a range of technological solutions for every challenge. Everyone today is able to host their personal drive, or organization on private platforms. And then the question is: Do you want to?
Start in the SharePoint portal
In the SharePoint portal, under Policies - Access Control - Unmanaged Devices you have the option to choose these 3 options:
Full access, limited access or block access.
In this case, we choose block restricted web access.
Conditional access
Condition access is giving access on conditions. An example is shown below.
Browse to https://po rtal.azure.com to open the Azure Portal.
Look for conditional access in the top bar.
You just created this policy through the changes in the SharePoint control panel.
If you look deeper into this policy you will see that it contains 4 services. Exchange (Outlook Online), Office 365 SharePoint(Including OneDrive), Yammer & Microsoft Teams.
You can see that this policy ensures that only the browser and modern authentication clients can connect to the above services.
