Intune and SharePoint Online working together. Secure access to SharePoint content using unmanaged devices

Site collection based conditional access

I will have to be fair. I planned to write a blog about the conditional access to specific site collections within SharePoint Online. This is a feature by Microsoft which should be available in first release tenants, as of september 1st 2017.

But…… it isn’t (as yet). At the end of this blog, you will find the required PowerShell cmdlet. But at this moment (september 15th) this cmdlet did not work in my tenant.

So instead, I will detail how you can use Azure Active Directory Conditional Access to allow limited access to SharePoint from non-compliant or non domain joined devices. But at the end, I will go into the (upcoming) feature to use conditional access with specific site collections.

Conditional Access

I want to start with a clear definition on conditional access. Most simply put, access to certain resources will only be granted if specific conditions are met. These conditions can be based on:

  • location (outside of the enterprise or within the enterprise)
  • device (allowing BYOD with restrictions or company devices only);
  • account (requiring multifactor authentication, for example).

The Office 365 admin and security & compliance center do provide us with several options for setting condition access. For can have device policies for Office 365 on a whole or for OneDrive for Business /SharePoint Online in particular.

SandC_1
Setting a device policy in Office 365 security & compliance

These policies effect the use of Office 365 and provide a solid base from which to work from. In this blog I want to go a bit further and look at Azure AD conditional access (Intune) combined with SharePoint Online.

One note. Please be aware that when using Intune, this will take precedence over OneDrive for Business or SharePoint Online settings. Good to take that into consideration.

Scenario

In my scenario I have several employees who access SharePoint Online sites using unmanaged devices (BYOD). I do not want to restrict these employees very much, but I do want to make sure that no internal content stays on these devices.So, I decided to limit access to the SharePoint Online content. When using the web browser on an unmanaged device, my employees should not be able to store content on this device (download or sync) or print the content.

Should they use any desktop client or mobile app, I want certain conditions to be met.

To do this, I will have to enable two conditional access polices and configure SharePoint Online. For the latter, I will be using a security feature introduced earlier this year. This SharePoint feature facilitates the integration with Intune.

Prerequisites

Azure Active Directory conditional access is not part of the Office 365 enterprise (E3) license. So, in order to use this I will need additional licenses for Azure Active Directory Premium and Microsoft Intune. In my environment I use first release, so make sure that’s activated as well.

SharePoint Online and Intune

In this scenario I will be using a new feature of conditional access. These are called “app enforced restrictions”. When enabled, Azure Active Directory will pass information on the device used to SharePoint Online. Based on that information, SharePoint Online will determine if additional measures are required. I will use this to set limited access to SharePoint sites. 

SPO_Cond_1 - small
Limited access SharePoint sites
 

Part 1 – Conditional access for web browsers

First off, I will set the web browser access. To do this, you need to do the following:

  1. Open the Azure portal and go to Azure Active Directory | Conditional access;
  2. Click New policy, you will now create a new policy. Use these details:
    • Users and groups: enter specific users or groups for which this policy applies. Exclude any users/groups which should not have this policy assigned;
    • Cloud apps: here you select Office 365 SharePoint Online;
    • Condition: here you only select Client apps | Browser;
    • Leave Access controls empty;
    • Session: here you check-mark the option “Use app enforced restrictions (preview)”.
  3. When all details have been entered, enable the policy and save it. It will come into effect straight away.
SPO_Cond_Azure_1
Azure Active Directory conditional access policies
SPO_Cond_Azure_4
Web browser conditional access policy
SPO_Cond_Azure_6
Specify SharePoint Online as required platform
SPO_Cond_Azure_5
App enforced restrictions

Part 2 – Conditional access for apps and desktop

The second policy we need to define is for mobile apps and desktop clients. This is basically the same as the first policy.

  1. Open the Azure portal and go to Azure Active Directory | Conditional access
  2. Click New policy, you will now create a new policy. Use these details:
    • Users and groups: enter specific users or groups for which this policy applies. Exclude any users/groups which should not have this policy assigned;
    • Cloud apps: here you select Office 365 SharePoint Online;
    • Condition: here you only select Client apps | Mobile apps and desktop clients;
    • For Access controls you will need either one of these options:
      1. Require device to be marked as compliant;
      2. Require domain joined.
    • The Session is left empty.
  3. When all details have been entered, enable the policy and save it. It will come into effect straight away.
SPO_Cond_Azure_2
Apps and desktop conditional access policy

 

SPO_Cond_Azure_3
Require device to be compliant

 

Part 3 – SharePoint specific

These two policies now determine that mobile apps and desktop clients assessing my SharePoint environment need to comply. But the web browser clients are handled by SharePoint itself.

And to configure this you go to the SharePoint admin center | access control.

SPO_Cond_1
SharePoint admin center – access control section

To block the downloading of content using a web browser on a non-compliant device, I select the option Allow limited access | Block downloading. This will affect all SharePoint sites and Office Groups, but will take some minutes to come into effect.  See the end of this blog for more information.

Seeing it in action

Using a Windows 7 machine with Google Chrome, I go to an Office Group. And to show you what will happen, I have included a “before” and “after” picture. Please note that prior to the policy coming into effect, I could open the document in Word and download it. These options are no longer available. Also note the text and the top.

 

SPO_Cond_doclib_before
SharePoint document library – before policy
SPO_Cond_doclib_after
SharePoint document library – after policy

Of course these policies also extends to the Office web applications and non-Windows environments. Like, for example, opening the site on an iPhone.

IMG_2331

 

And ….

SPO_Cond_Word
Policy displayed in Word Online

Site collection based conditional access

Some time ago Microsoft announced that SharePoint Online would receive conditional access on a site collection basis. This is a great enhancement, as you can use this to protect very sensitive content in specific locations.

I will be honest: I have not seen this in action as yet. But I will describe the steps needed to realise this, based on procedure described this technet article.

This procedure uses PowerShell for SharePoint Online. As I’m using Windows PowerShell ICE for this, here are the steps required. Two notes: (1) make sure that limited access (as described above) is disabled when using site collection based access. (2) Please ensure that the account used in this procedure is not part of the conditional access policies. Otherwise, PowerShell will not connect.

No_access_PowerShell

Open Windows PowerShell ICE using administrator privileges.

Import the SharePoint Online powershell module. My version was dated augustus 2017.

Import-module ‘C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell’ -Verbose

Then connect to your SharePoint Online admin environment.

Connect-SPOService -url <your_sharepoint_admin_url>

Now you are connected.

To set the conditional access for a site collection, you can use this cmdlet:

Set-SPOSite -Identity <your_sharepoint_sitecollection> -ConditionalAccessPolicy AllowLimitedAccess $True -BlockDownloadOfNonViewableFiles $True

AllowLimitedAccess is to enable to web-only restrictions.  BlockDownloadOfNonViewableFiles stops people from downloading other files as well.

Unfortunately, this is where the road stopped for me.

SPO_Cond_PowerShell_2
PowerShell says No….

I got a PowerShell error, probably because the feature has not been rolled out to my tenant yet. But no matter, I will keep trying this anyway. When I got it up and running, I will add this to the blog.

But, all said and done, I do like the conditional access features thus far. Like many other people I am very interessted to see this access working on a site collection level. I will keep you posted on that.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s