Accessing SharePoint and OneDrive content on unmanaged devices

This week is all about accessing SharePoint sites and OneDrive accounts on unmanaged devices. More specifically, limiting access to SharePoint and OneDrive content on unmanaged devices. Configuring (limited) access to SharePoint sites and OneDrive accounts starts by using conditional access. For applying conditional access to SharePoint sites and OneDrive accounts, the Office 365 SharePoint Online cloud app, or the recently introduced Office 365 (preview) cloud app can be used. The first cloud app is applicable to all services that depend on SharePoint Online (including OneDrive and Teams). The second cloud app is applicable to all productivity and collaboration services of Office 365. An all-in-one app. However, both of these cloud apps don’t provide really granularity to only apply specific behavior for accessing specific SharePoint sites, or OneDrive accounts. In this post I’ll focus on the Use app enforced restrictions session control and the options that it provides for differentiating between SharePoint sites and OneDrive accounts. About three years ago, I did a post on the basic configurations options of that sessions control.

The Use app enforced restrictions session control can be used to require Azure AD to pass device information to the SharePoint Online. That enables SharePoint Online to know whether the connection was initiated from a managed device. In this case a managed device is an Intune managed and compliant device, or a hybrid Azure AD joined device. SharePoint Online can use that information to provide a limited experience to unmanaged devices. Adjusting the experience can be achieved by using the Unmanaged devices access control in SharePoint Online. In this post I’ll have a look at the standard and advanced configuration options of that access control (including a brief look at the future). I’ll end by having a look at the end-user experience.

SharePoint unmanaged devices standard configuration

The Unmanaged devices access control in SharePoint Online can be used to provide full or limited access on unmanaged devices. It’s even possible to completely block access on unmanaged devices. Limiting the access on unmanaged devices allows the end-user to remain productive while minimizing the risk of accidental data loss. With limited access, users, on unmanaged devices, will have browser-only access with no ability to download, print, or sync files. It won’t be possible to access content through apps, including the Microsoft Office desktop apps. This does require the use of modern authentication. An additional reason to block legacy authentication.

The Unmanaged devices access control standard configuration is available via the SharePoint admin center. This access control can be configured for the complete organization by following the next two steps.

  1. Open the SharePoint admin center and navigate to Policies > Access control > Unmanaged devices
  2. On the Unmanaged devices blade, select the experience for the end-user on unmanaged device by choosing between full access, limited access and block access.

When configuring the Unmanaged devices access control with a limited or blocked experience, by following the mentioned steps, the Apps that don’t use modern authentication access control will automatically change to blocked. The main reason for that is that those apps can’t enforce a limited or blocked experience. Also, these configuration will automatically create corresponding conditional access policies.

SharePoint unmanaged devices advanced configuration

The advanced configuration options of the Unmanaged devices access control in SharePoint Online are only available via PowerShell. The standard configuration via the SharePoint admin center can only configure the access control organization-wide, while PowerShell enables the administrator to configure the access control on site-level. That includes OneDrive accounts. That enables the administrator to configure a limited or blocked experience for specific SharePoint sites and OneDrive accounts. That can be achieved by using the Set-SPOTenant cmdlet for organization-wide configurations, or by using Set-SPOSite cmdlet for site-level configurations. Those cmdlets contain the ConditionalAccessPolicy parameter that can be used to configure the Unmanaged devices access control. That parameter can be used with one of the following values:

  • AllowFullAccess – This value will make sure that the configuration of Allow full access from desktop apps, mobile apps, and the web is applied to the tenant or site. This is the default configuration and allows full access for unmanaged devices.
  • AllowLimitedAccess – This value will make sure that the configuration of Allow limited, web-only access is applied to the tenant or site. This is the limiting configuration that will only allow web access and doesn’t allow the user to print, download or synchronize for unmanaged devices.
  • BlockAccess – This value will make sure that the configuration of Block access is applied to the tenant or site. This will completely block access for unmanaged devices.
  • ProtectionLevel – This value is a preview feature that can be used for configuring authentication tags.

For configuring the Unmanaged devices access control for specific SharePoint sites or OneDrive accounts, the Set-SPOSite cmdlet can be used in combination with the ConditionalAccessPolicy parameter and the Identity parameter. The latter parameter is used for specifying the specific SharePoint site or OneDrive account. An example is shown below.

Set-SPOSite -Identity <SpecificSiteOrOneDriveAccount> -ConditionalAccessPolicy AllowLimitedAccess

When using the ConditionalAccessPolicy parameter, it enables the administrator to apply even more restrictions. It enables the administrator to combine the limited access with also removing the ability to edit files and the ability to copy and paste from files. That can be achieved by using the AllowEditing parameter with the value $false (default is $true). An example is shown below.

Set-SPOSite -Identity <SpecificSiteOrOneDriveAccount> -ConditionalAccessPolicy AllowLimitedAccess -AllowEditing $false

Besides limiting the editing abilities for the user, it’s also possible to further limit the preview functionality. That can be achieved by using the LimitedAccessFileType parameter. That parameter can be used with one of the following values:

  • OfficeOnlineFilesOnly – This value will make sure that users can only preview Office files in the browser. This limiting configuration increases security on unmanaged devices, but may decrease user productivity.
  • WebPreviewableFiles – This value value will make sure that users can preview Office files and other file types (such as PDF files and images) in the browser. This is the default configuration and is optimized for user productivity on unmanaged devices, but offers less security for files that aren’t Office files. 
  • OtherFiles – This value will make sure that users can download files that can’t be previewed (such as .zip and .exe) in the browser. This option offers less security on unmanaged devices.

The LimitedAccessFileType parameter enables the administrator to limit the preview functionality, by using one of the three mentioned values. An example is shown below.

Set-SPOSite -Identity <SpecificSiteOrOneDriveAccount> -ConditionalAccessPolicy AllowLimitedAccess -AllowEditing $false -LimitedAccessFileType WebPreviewableFiles

Note: Keep in mind that the site-level configuration will only work as expected when it’s more restrictive than the organization-wide configuration.

Conditional access configuration

The conditional access configuration is required to make sure that Azure AD will pass the device information to the SharePoint Online. That can be achieved by using the Use app enforced restrictions session control. This configuration can be used next to other conditional access policy that use grant controls to make sure that for example MFA is also always required for access to SharePoint Online or OneDrive for Business on unmanaged devices. That in combination with the limited configuration can provide the organization with the required level of access control on unmanaged devices. For this post the focus is on the Use app enforced restrictions session control. That session control can be configured by following the next seven steps.

  1. Open the Microsoft Endpoint Manager admin center portal and navigate to Security > Conditional access Policies to open the Conditional Access | Policies blade
  2. On the Conditional Access | Policies blade, click New policy to open the New blade
  3. On the New blade and provide a unique name
  4. Select Users and groups to configure the assigned users of this conditional access policy
  5. Select Cloud apps or user actions and select Office 365 SharePoint Online as the assigned app of this conditional access policy
  6. Select Conditions > Client apps and select Browser as the applicable client app of this conditional access policy
  7. Select Session and select Use app enforced restrictions to make sure that the configured limited experience will be applicable to this session

What the future brings

Before having a look at the end-user experience, it might be good to briefly mention that the near future will bring some more possibilities. While writing this post new MFA and other granular policies for SharePoint sites and OneDrive are introduced by using a new user action in conditional access. The Accessing secured app data user action. That user action is already configurable in conditional access by using this url for configuring the conditional access policy. It enables the administrator to configure a few protection levels for data. Those protection levels can be added to SharePoint sites and OneDrive accounts and can be assigned with different conditional access policies. That eventually might provide the administrator with a more granular control over the access to the data in the different locations. Jan Bakker already wrote some more details about that functionality at his blog. More about that subject in the future.

End-user experience

The mentioned configurations enable the administrator to provide different limited experiences to different SharePoint sites and OneDrive accounts. Let’s bring these configurations together to provide a limited experience for accessing OneDrive on unmanaged devices and by blocking access to specific SharePoint sites on unmanaged devices. Below in Figure 3 is an example of the end-user experience when opening a Word document in OneDrive on an unmanaged device, when limited access is configured with web previewable files and no editing options. That will enable the user to only preview the document in the browser. Below in Figure 4 is an example of the end-user experience when opening a TXT-file in OneDrive on an unmanaged device and when the same limited configurations apply. That will block the user from accessing the file.

Below in Figure 5 is an example of the end-user experience when accessing a SharePoint site when that specific site is blocked on unmanaged devices. That will provide the user with the message that the access is denied for untrusted devices, due to organizational policies.

More information

For more information about conditional access, SharePoint Online and OneDrive for Business, refer to the following docs:

Conditional access and Outlook on the web for Exchange Online

This week a blog post about conditional access. More specifically, about conditional access and enforced restrictions with Outlook on the web for Exchange Online. This can be used to provide users with access to Outlook on the web, but still protect company data. That can be achieved by configuring a limited experience for users with regards to attachments. The enforced restrictions can enable a read only option for attachments in the browser and can completely block attachments in the browser. In this post I’ll walk through the required configurations, with the focus on conditional access, and I’ll show the end-user experience.

Configuration

Let’s start with looking at the configuration. The main focus in the configuration is conditional access, but as that configuration has no use without configuring the Outlook on the web mailbox policies, I’ll also provide the main configuration options from an Exchange Online perspective.

Exchange Online configuration

The most important and only configuration, from an Exchange Online perspective, is to configure the Outlook on the web mailbox policy. That configuration must be done by using PowerShell. When there is an Outlook on the web mailbox policy, the required cmdlet is Set-OwaMailboxPolicy. That cmdlet contains the parameter ConditionalAccessPolicy. That parameter can be used to specify the Outlook on the web mailbox policy for limited access and can have the following values:

  • Off: This value means that no conditional access policy is applied to Outlook on the web;
  • ReadOnly: This value means that users can’t download attachments to their local computer, and can’t enable offline mode on non-compliant computers;
  • ReadOnlyPlusAttachmentsBlocked: This value means that all restrictions from ReadOnly apply, but that users can’t view attachments in the browser.

Note: In the end-user experience section, I’ll show the experience for both values.

Conditional access configuration

Once the conditional access policy configuration is in place for the Outlook on the web mailbox policy, it’s time to look at the actual conditional access configuration in Azure AD. The following eight steps walk through the steps to create a conditional access policy that will require multi-factor authentication and enforce a restriction on Outlook on the web, for devices that are not hybrid Azure AD joined and that are not compliant.

1 Open the Azure portal and navigate to Microsoft Intune > Conditional access > Policies or to Azure Active Directory > Conditional access > Policies;;
2 On the Policies blade, click New policy to open the New blade;
3

OOTW-UsersGroupsOn the New blade, select the Users and groups assignment to open the Users and groups blade. On the Users and groups blade, select All users and click Done;

Explanation: This configuration will make sure that this conditional access policy is applicable to all users.

4

OOTW-CloudAppsOn the New blade, select the Cloud apps assignment to open the Cloud apps blade. On the Cloud apps blade, select Select apps > Office 365 Exchange Online and click Done;

Explanation: This configuration will make sure that this conditional access policy is applicable to Exchange Online.

5a

OOTW-DevicePlatformsOn the New blade, select the Conditions assignment to open the Conditions blade. On the Conditions blade, select Device platforms to open the Device platforms blade. On the Device platforms blade, click Yes with Configure, select All platforms (including unsupported) and click Done to return to the Conditions blade;

Explanation: This configuration will make sure that this conditional access policy is applicable to all platforms.

5b

OOTW-ClientAppsBack on the Conditions blade, select Client apps (preview) to open the Client apps (preview) blade. On the Client apps (preview) blade, click Yes with Configure, select Browser and click Done to return to the Conditions blade;

Explanation: This configuration will make sure that this conditional access policy is applicable to browser sessions.

5c

OOTW-DeviceStateBack on the Conditions blade, select Device state (preview) to open the Device state (preview) blade. On the Device state (preview) blade, click Yes with Configure, select Device Hybrid Azure AD joined and Device marked as compliant on the Exclude tab and click Done and Done;

Explanation: This configuration will make sure that this conditional access policy is applicable to unmanged devices, by excluding hybrid Azure AD joined and compliant devices (which are both considered managed).

6

OOTW-GrantOn the New blade, select the Grant access control to open the Grant blade. On the Grant blade, select Grant access > Require multi-factor authentication and click Select;

Explanation: This configuration will make sure that this conditional access policy will require multi-factor authentication .

7

OOTW-SessionOn the New blade, select the Session access control to open the Session blade. On the Session blade, select Use app enforced restrictions and click Select;

Explanation: This configuration will make sure that this conditional access policy will enforce the configured restrictions in Outlook on the web for Exchange Online..

8 Open the New blade, select On with Enable policy and click Create;

End-user experience

Let’s end this post by looking at the end-user experience, for both configurable values for the Outlook on the web mailbox policy for limited access. When using an unmanaged device the user must user multi-factor authentication, which will be followed by the experiences showed below.

The first value is the ReadOnly value, which forces read only restrictions to any email attachment. Besides that it also prevents users from saving the attachments locally, as it only allows the user to save the attachments to OneDrive. Below is an example of that behavior. It also shows on top of the mail that the user is notified about the limited experience.

OutlookOTW-ReadOnly

The second value is the ReadOnlyPlusAttachmentsBlocked value, which forces email attachments to be blocked from being opened via Outlook on the web. Basically it prevents any interaction with the attachment. Below is an example of that behavior. It also shows on top of the mail that the user is notified about the limited experience.

OutlookOTW-ReadOnlyPlusAttachmentsBlocked

Note: This behavior does require disciplined users, as these type of limitations in the user experience might trigger users to forward messages to another account.

More information

For more information about conditional access in combination with Outlook on the web for Exchange Online, please refer to the following articles: