Using sensitivity labels to manage access to SharePoint sites on unmanaged devices

This week is a follow-up on my post of a few weeks ago about accessing SharePoint and OneDrive content on unmanaged devices. That post showed how to use the SharePoint admin center to manage the organiztion-wide access control for unmanaged devices and showed how to use PowerShell to manage the site-level access control for unmanaged devices. This post will show something similar to that PowerShell configuration, in a way that this will also provide a method for managing access for unmanaged devices on a site-level. The main difference is that this post will look at a new (currently in public preview) feature that is added to sensitivity labels. That feature enables the administrator to configure Site and group settings for sensitivity labels. Within that configuration the administrator can define the level of access for unmanaged devices when a sensitivity label is applied to a SharePoint site. In this post I’l start with a short introduction about that functionality, followed by the configuration steps. Those configuration steps contain the steps for configuring the sensitivity labels, the steps for applying the sensitivity labels to a SharePoint site and the steps for configuring a basic conditional access policy to provide the device management information to SharePoint Online. I’ll end this post by showing the end-user experience.

Important: This information shown in this blog post relies – at the moment of writing – on preview functionality for sensitivity labels that must be specifically enabled. Without specifically enabling this preview functionality, the mentioned Site and group settings will not be available for sensitivity labels.

Site and group settings for sensitivity labels

Before looking at the configuration options, it’s good to first have a quick look at the new feature of sensitivity labels. By enabling the preview functionality, the administrator receives an additional configuration step when creating (and editing) sensitivity labels, named Site and group settings. The main focus for this post is the configuration section for unmanaged devices in the Site and group settings. That configuration section enables the administrator to provide the user with the option to configure access for unmanaged devices per site by using sensitivity labels. The administrator determines the configuration of the sensitivity labels based on the company policies and the user applies the sensitivity label to SharePoint sites based on the company policies.

When applying a sensitivity label to a SharePoint site, only the settings of the Site and group settings apply to the site. Other settings, such as encryption and content marking, aren’t applied to the content within the SharePoint site. The content within the SharePoint site is also not automatically labeled with the sensitivity label that’s applied to the site. It’s currently still required to use the existing manual and automatic options for applying sensitivity labels to content. The the priority of sensitivity labels is also really important for this

Note: I’m constantly specifically mentioning access of unmanaged devices to SharePoint sites as the focus of this post. However, as the mentioned configuration also enables the user to apply these sensitivity labels to Teams sites, the same behavior for unmanaged devices also applies to the related SharePoint sites.

Configuring the sensitivity labels

The configuration of sensitivity labels, for applying the behavior for unmanaged devices to a SharePoint site, contains an administrator configuration for the sensitivity labels and a user configuration for applying the sensitivity label to new (and existing) SharePoint sites. If needed an administrator can also adjust the applied sensitivity label.

Configuring the site and group settings for sensitivity labels

Let’s start by looking at the steps for an administrator of creating a sensitivity label and configuring the Site and group settings. The eight steps below walk through the creation of a new sensitivity label. Most steps simply describe the usage of the configuration step, as the focus is on the Site and group settings (step 6). After creating the sensitivity label, it can be published like any other sensitivity label by using a Label policy. Keep in mind that after creating and publishing the sensitivity label, it can take up to 24 hours for the sensitivity label to become available for users in the creation and adjustments of SharePoint sites. 

  1. Open the Microsoft 365 compliance center and navigate to Solutions > Information protection (or use the Microsoft 365 security center, or the Security & Compliance center) to open the Information protection page.
  2. On the Information protection page, click Create a label to open the New sensitivity label wizard.
  3. On the Name & description page, configure a name and tooltip for the sensitivity label and click Next.
  4. On the Encryption page, configure the encryption to control who can access the content that have this sensitivity label applied and click Next.
  5. On the Content marking page, configure any custom headers, footers, and watermarks that should be added to content that have this sensitivity label applied and click Next.
  6. On the Site and groups settings page, configure the settings that should take effect when this sensitivity label is applied to SharePoint site (or Office group) and click Next. Specifically looking at the scope of this post, it’s all about the Unmanaged devices section. That section enables the administrator to control the level of access for unmanaged devices when this sensitivity label is applied to a SharePoint site. Similar to the unmanaged devices access control in the SharePoint admin center, the administrator can choose between full access, limited access and block access.
  7. On the Auto-labeling for Office apps page, configure the automatic labeling behavior for Office apps when sensitive content is detected and click Next.
  8. On the Review your settings page, verify the configuration and click Submit.

Note: Keep in mind that the organization-wide configuration for unmanaged devices, in the SharePoint admin center, should be set to the least restrictive configuration to have a configuration that works as expected. If not, and a sensitivity label should apply a less restrictive experience, the organization-wide configuration will overrule the applied configuration of the sensitivity label.

Using the sensitivity labels for SharePoint sites

Once the administrator configured the sensitivity labels, the user can apply the different sensitivity labels to the different SharePoint sites. That can be achieved by the user during the creation of new SharePoint sites or by editing the Site information of existing SharePoint sites. The following three to four steps walk through the process of creating a new SharePoint site and applying a sensitivity label to it.

  1. Open SharePoint and click Create site to open the Create site page.
  2. On the Create site page, choose between a Team site and a Communication site. A sensitivity label can be applied to both type of SharePoint sites.
  3. No matter what the type of SharePoint site, provide a name for the site to enable the remaining settings of a new SharePoint site. Those settings include an Advanced settings section. That section contains the sensitivity labels that the user can choose from. By clicking on the help icon, the user can view the tooltip information of the different sensitivity labels. Now choose the applicable sensitivity label and click Next to continue to the Add group members page (or click Finish for Communication sites).
  4. (Only for Team sites) On the Add group members page, add any additional administrators and click Finish.

Note: For existing SharePoint sites the user can select the SharePoint site and click Site information to edit the sensitivity label by selecting a different sensitivity label in the Sensitivity selection box.

Configuring conditional access policy

The conditional access policy configuration is required to make sure that Azure AD will pass the device management information on to SharePoint Online. That can be achieved by using the Use app enforced restrictions session control. That in combination with the configuration of the sensitivity labels can provide the organization with the required level of access control on unmanaged devices. For this post the focus is on the Use app enforced restrictions session control. That session control can be configured by following the next seven steps.

  1. Open the Microsoft Endpoint Manager admin center portal and navigate to Security > Conditional access Policies to open the Conditional Access | Policies blade
  2. On the Conditional Access | Policies blade, click New policy to open the New blade
  3. On the New blade and provide a unique name
  4. Select Users and groups to configure the assigned users of this conditional access policy
  5. Select Cloud apps or user actions and select Office 365 SharePoint Online as the assigned app of this conditional access policy
  6. Select Conditions > Client apps and select Browser as the applicable client app of this conditional access policy
  7. Select Session and select Use app enforced restrictions to make sure that the configured limited experience will be applicable to this session

Note: This configuration can also be used in a conditional access policy that uses a grant controls to make sure that for example MFA is also always required for access to SharePoint Online for unmanaged devices. 

The sensitivity label experience

Let’s end this post by having a look at the end-user experience and little bit of administrator experience. For testing the experience, I’ve created the following four different sensitivity labels (with the mentioned behavior for unmanaged devices) for the users in my environment:

  • Public – This sensitivity label allows full access for unmanaged devices.
  • Internal – This sensitivity label allows limited access for unmanaged devices.
  • Confidential – This sensitivity label also allows limited access for unmanaged devices.
  • Secret – This sensitivity label blocks access for unmanaged devices.

When a user now navigates on an unmanaged device to a SharePoint site with a sensitivity label of Internal (or Confidential), the user will receive a limited experience as shown below in Figure 3. The user will be notified about the limited experience and the user will see the applied sensitivity label. When a user now navigates on an unmanaged device to a SharePoint site with a sensitivity label of Secret, the user will receive a blocked experience as shown below in Figure 4. As the sensitivity label of Public simply provides a full experience, I’m not showing that example.

When quickly looking from an administrator perspective in the SharePoint admin center, the administrator can now see an additional column for the active sites that contains the applied sensitivity label (as shown in Figure 5). By selecting a site and navigating to the policies section, the administrator can also adjust the applied sensitivity label.

More information

For more information about managing access to SharePoint sites with sensitivity labels, refer to the article about using sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites (public preview).

Accessing SharePoint and OneDrive content on unmanaged devices

This week is all about accessing SharePoint sites and OneDrive accounts on unmanaged devices. More specifically, limiting access to SharePoint and OneDrive content on unmanaged devices. Configuring (limited) access to SharePoint sites and OneDrive accounts starts by using conditional access. For applying conditional access to SharePoint sites and OneDrive accounts, the Office 365 SharePoint Online cloud app, or the recently introduced Office 365 (preview) cloud app can be used. The first cloud app is applicable to all services that depend on SharePoint Online (including OneDrive and Teams). The second cloud app is applicable to all productivity and collaboration services of Office 365. An all-in-one app. However, both of these cloud apps don’t provide really granularity to only apply specific behavior for accessing specific SharePoint sites, or OneDrive accounts. In this post I’ll focus on the Use app enforced restrictions session control and the options that it provides for differentiating between SharePoint sites and OneDrive accounts. About three years ago, I did a post on the basic configurations options of that sessions control.

The Use app enforced restrictions session control can be used to require Azure AD to pass device information to the SharePoint Online. That enables SharePoint Online to know whether the connection was initiated from a managed device. In this case a managed device is an Intune managed and compliant device, or a hybrid Azure AD joined device. SharePoint Online can use that information to provide a limited experience to unmanaged devices. Adjusting the experience can be achieved by using the Unmanaged devices access control in SharePoint Online. In this post I’ll have a look at the standard and advanced configuration options of that access control (including a brief look at the future). I’ll end by having a look at the end-user experience.

SharePoint unmanaged devices standard configuration

The Unmanaged devices access control in SharePoint Online can be used to provide full or limited access on unmanaged devices. It’s even possible to completely block access on unmanaged devices. Limiting the access on unmanaged devices allows the end-user to remain productive while minimizing the risk of accidental data loss. With limited access, users, on unmanaged devices, will have browser-only access with no ability to download, print, or sync files. It won’t be possible to access content through apps, including the Microsoft Office desktop apps. This does require the use of modern authentication. An additional reason to block legacy authentication.

The Unmanaged devices access control standard configuration is available via the SharePoint admin center. This access control can be configured for the complete organization by following the next two steps.

  1. Open the SharePoint admin center and navigate to Policies > Access control > Unmanaged devices
  2. On the Unmanaged devices blade, select the experience for the end-user on unmanaged device by choosing between full access, limited access and block access.

When configuring the Unmanaged devices access control with a limited or blocked experience, by following the mentioned steps, the Apps that don’t use modern authentication access control will automatically change to blocked. The main reason for that is that those apps can’t enforce a limited or blocked experience. Also, these configuration will automatically create corresponding conditional access policies.

SharePoint unmanaged devices advanced configuration

The advanced configuration options of the Unmanaged devices access control in SharePoint Online are only available via PowerShell. The standard configuration via the SharePoint admin center can only configure the access control organization-wide, while PowerShell enables the administrator to configure the access control on site-level. That includes OneDrive accounts. That enables the administrator to configure a limited or blocked experience for specific SharePoint sites and OneDrive accounts. That can be achieved by using the Set-SPOTenant cmdlet for organization-wide configurations, or by using Set-SPOSite cmdlet for site-level configurations. Those cmdlets contain the ConditionalAccessPolicy parameter that can be used to configure the Unmanaged devices access control. That parameter can be used with one of the following values:

  • AllowFullAccess – This value will make sure that the configuration of Allow full access from desktop apps, mobile apps, and the web is applied to the tenant or site. This is the default configuration and allows full access for unmanaged devices.
  • AllowLimitedAccess – This value will make sure that the configuration of Allow limited, web-only access is applied to the tenant or site. This is the limiting configuration that will only allow web access and doesn’t allow the user to print, download or synchronize for unmanaged devices.
  • BlockAccess – This value will make sure that the configuration of Block access is applied to the tenant or site. This will completely block access for unmanaged devices.
  • ProtectionLevel – This value is a preview feature that can be used for configuring authentication tags.

For configuring the Unmanaged devices access control for specific SharePoint sites or OneDrive accounts, the Set-SPOSite cmdlet can be used in combination with the ConditionalAccessPolicy parameter and the Identity parameter. The latter parameter is used for specifying the specific SharePoint site or OneDrive account. An example is shown below.

Set-SPOSite -Identity <SpecificSiteOrOneDriveAccount> -ConditionalAccessPolicy AllowLimitedAccess

When using the ConditionalAccessPolicy parameter, it enables the administrator to apply even more restrictions. It enables the administrator to combine the limited access with also removing the ability to edit files and the ability to copy and paste from files. That can be achieved by using the AllowEditing parameter with the value $false (default is $true). An example is shown below.

Set-SPOSite -Identity <SpecificSiteOrOneDriveAccount> -ConditionalAccessPolicy AllowLimitedAccess -AllowEditing $false

Besides limiting the editing abilities for the user, it’s also possible to further limit the preview functionality. That can be achieved by using the LimitedAccessFileType parameter. That parameter can be used with one of the following values:

  • OfficeOnlineFilesOnly – This value will make sure that users can only preview Office files in the browser. This limiting configuration increases security on unmanaged devices, but may decrease user productivity.
  • WebPreviewableFiles – This value value will make sure that users can preview Office files and other file types (such as PDF files and images) in the browser. This is the default configuration and is optimized for user productivity on unmanaged devices, but offers less security for files that aren’t Office files. 
  • OtherFiles – This value will make sure that users can download files that can’t be previewed (such as .zip and .exe) in the browser. This option offers less security on unmanaged devices.

The LimitedAccessFileType parameter enables the administrator to limit the preview functionality, by using one of the three mentioned values. An example is shown below.

Set-SPOSite -Identity <SpecificSiteOrOneDriveAccount> -ConditionalAccessPolicy AllowLimitedAccess -AllowEditing $false -LimitedAccessFileType WebPreviewableFiles

Note: Keep in mind that the site-level configuration will only work as expected when it’s more restrictive than the organization-wide configuration.

Conditional access configuration

The conditional access configuration is required to make sure that Azure AD will pass the device information to the SharePoint Online. That can be achieved by using the Use app enforced restrictions session control. This configuration can be used next to other conditional access policy that use grant controls to make sure that for example MFA is also always required for access to SharePoint Online or OneDrive for Business on unmanaged devices. That in combination with the limited configuration can provide the organization with the required level of access control on unmanaged devices. For this post the focus is on the Use app enforced restrictions session control. That session control can be configured by following the next seven steps.

  1. Open the Microsoft Endpoint Manager admin center portal and navigate to Security > Conditional access Policies to open the Conditional Access | Policies blade
  2. On the Conditional Access | Policies blade, click New policy to open the New blade
  3. On the New blade and provide a unique name
  4. Select Users and groups to configure the assigned users of this conditional access policy
  5. Select Cloud apps or user actions and select Office 365 SharePoint Online as the assigned app of this conditional access policy
  6. Select Conditions > Client apps and select Browser as the applicable client app of this conditional access policy
  7. Select Session and select Use app enforced restrictions to make sure that the configured limited experience will be applicable to this session

What the future brings

Before having a look at the end-user experience, it might be good to briefly mention that the near future will bring some more possibilities. While writing this post new MFA and other granular policies for SharePoint sites and OneDrive are introduced by using a new user action in conditional access. The Accessing secured app data user action. That user action is already configurable in conditional access by using this url for configuring the conditional access policy. It enables the administrator to configure a few protection levels for data. Those protection levels can be added to SharePoint sites and OneDrive accounts and can be assigned with different conditional access policies. That eventually might provide the administrator with a more granular control over the access to the data in the different locations. Jan Bakker already wrote some more details about that functionality at his blog. More about that subject in the future.

End-user experience

The mentioned configurations enable the administrator to provide different limited experiences to different SharePoint sites and OneDrive accounts. Let’s bring these configurations together to provide a limited experience for accessing OneDrive on unmanaged devices and by blocking access to specific SharePoint sites on unmanaged devices. Below in Figure 3 is an example of the end-user experience when opening a Word document in OneDrive on an unmanaged device, when limited access is configured with web previewable files and no editing options. That will enable the user to only preview the document in the browser. Below in Figure 4 is an example of the end-user experience when opening a TXT-file in OneDrive on an unmanaged device and when the same limited configurations apply. That will block the user from accessing the file.

Below in Figure 5 is an example of the end-user experience when accessing a SharePoint site when that specific site is blocked on unmanaged devices. That will provide the user with the message that the access is denied for untrusted devices, due to organizational policies.

More information

For more information about conditional access, SharePoint Online and OneDrive for Business, refer to the following docs:

Conditional access and Outlook on the web for Exchange Online

This week a blog post about conditional access. More specifically, about conditional access and enforced restrictions with Outlook on the web for Exchange Online. This can be used to provide users with access to Outlook on the web, but still protect company data. That can be achieved by configuring a limited experience for users with regards to attachments. The enforced restrictions can enable a read only option for attachments in the browser and can completely block attachments in the browser. In this post I’ll walk through the required configurations, with the focus on conditional access, and I’ll show the end-user experience.

Configuration

Let’s start with looking at the configuration. The main focus in the configuration is conditional access, but as that configuration has no use without configuring the Outlook on the web mailbox policies, I’ll also provide the main configuration options from an Exchange Online perspective.

Exchange Online configuration

The most important and only configuration, from an Exchange Online perspective, is to configure the Outlook on the web mailbox policy. That configuration must be done by using PowerShell. When there is an Outlook on the web mailbox policy, the required cmdlet is Set-OwaMailboxPolicy. That cmdlet contains the parameter ConditionalAccessPolicy. That parameter can be used to specify the Outlook on the web mailbox policy for limited access and can have the following values:

  • Off: This value means that no conditional access policy is applied to Outlook on the web;
  • ReadOnly: This value means that users can’t download attachments to their local computer, and can’t enable offline mode on non-compliant computers;
  • ReadOnlyPlusAttachmentsBlocked: This value means that all restrictions from ReadOnly apply, but that users can’t view attachments in the browser.

Note: In the end-user experience section, I’ll show the experience for both values.

Conditional access configuration

Once the conditional access policy configuration is in place for the Outlook on the web mailbox policy, it’s time to look at the actual conditional access configuration in Azure AD. The following eight steps walk through the steps to create a conditional access policy that will require multi-factor authentication and enforce a restriction on Outlook on the web, for devices that are not hybrid Azure AD joined and that are not compliant.

1 Open the Azure portal and navigate to Microsoft Intune > Conditional access > Policies or to Azure Active Directory > Conditional access > Policies;;
2 On the Policies blade, click New policy to open the New blade;
3

OOTW-UsersGroupsOn the New blade, select the Users and groups assignment to open the Users and groups blade. On the Users and groups blade, select All users and click Done;

Explanation: This configuration will make sure that this conditional access policy is applicable to all users.

4

OOTW-CloudAppsOn the New blade, select the Cloud apps assignment to open the Cloud apps blade. On the Cloud apps blade, select Select apps > Office 365 Exchange Online and click Done;

Explanation: This configuration will make sure that this conditional access policy is applicable to Exchange Online.

5a

OOTW-DevicePlatformsOn the New blade, select the Conditions assignment to open the Conditions blade. On the Conditions blade, select Device platforms to open the Device platforms blade. On the Device platforms blade, click Yes with Configure, select All platforms (including unsupported) and click Done to return to the Conditions blade;

Explanation: This configuration will make sure that this conditional access policy is applicable to all platforms.

5b

OOTW-ClientAppsBack on the Conditions blade, select Client apps (preview) to open the Client apps (preview) blade. On the Client apps (preview) blade, click Yes with Configure, select Browser and click Done to return to the Conditions blade;

Explanation: This configuration will make sure that this conditional access policy is applicable to browser sessions.

5c

OOTW-DeviceStateBack on the Conditions blade, select Device state (preview) to open the Device state (preview) blade. On the Device state (preview) blade, click Yes with Configure, select Device Hybrid Azure AD joined and Device marked as compliant on the Exclude tab and click Done and Done;

Explanation: This configuration will make sure that this conditional access policy is applicable to unmanged devices, by excluding hybrid Azure AD joined and compliant devices (which are both considered managed).

6

OOTW-GrantOn the New blade, select the Grant access control to open the Grant blade. On the Grant blade, select Grant access > Require multi-factor authentication and click Select;

Explanation: This configuration will make sure that this conditional access policy will require multi-factor authentication .

7

OOTW-SessionOn the New blade, select the Session access control to open the Session blade. On the Session blade, select Use app enforced restrictions and click Select;

Explanation: This configuration will make sure that this conditional access policy will enforce the configured restrictions in Outlook on the web for Exchange Online..

8 Open the New blade, select On with Enable policy and click Create;

End-user experience

Let’s end this post by looking at the end-user experience, for both configurable values for the Outlook on the web mailbox policy for limited access. When using an unmanaged device the user must user multi-factor authentication, which will be followed by the experiences showed below.

The first value is the ReadOnly value, which forces read only restrictions to any email attachment. Besides that it also prevents users from saving the attachments locally, as it only allows the user to save the attachments to OneDrive. Below is an example of that behavior. It also shows on top of the mail that the user is notified about the limited experience.

OutlookOTW-ReadOnly

The second value is the ReadOnlyPlusAttachmentsBlocked value, which forces email attachments to be blocked from being opened via Outlook on the web. Basically it prevents any interaction with the attachment. Below is an example of that behavior. It also shows on top of the mail that the user is notified about the limited experience.

OutlookOTW-ReadOnlyPlusAttachmentsBlocked

Note: This behavior does require disciplined users, as these type of limitations in the user experience might trigger users to forward messages to another account.

More information

For more information about conditional access in combination with Outlook on the web for Exchange Online, please refer to the following articles: