Intune and SharePoint Online working together. Secure access to SharePoint content using unmanaged devices

Site collection based conditional access

I will have to be fair. I planned to write a blog about the conditional access to specific site collections within SharePoint Online. This is a feature by Microsoft which should be available in first release tenants, as of september 1st 2017.

But…… it isn’t (as yet). At the end of this blog, you will find the required PowerShell cmdlet. But at this moment (september 15th) this cmdlet did not work in my tenant.

So instead, I will detail how you can use Azure Active Directory Conditional Access to allow limited access to SharePoint from non-compliant or non domain joined devices. But at the end, I will go into the (upcoming) feature to use conditional access with specific site collections.

Conditional Access

I want to start with a clear definition on conditional access. Most simply put, access to certain resources will only be granted if specific conditions are met. These conditions can be based on:

• location (outside of the enterprise or within the enterprise)
• device (allowing BYOD with restrictions or company devices only);
• account (requiring multifactor authentication, for example).

The Office 365 admin and security & compliance center do provide us with several options for setting condition access. For can have device policies for Office 365 on a whole or for OneDrive for Business /SharePoint Online in particular.

These policies effect the use of Office 365 and provide a solid base from which to work from. In this blog I want to go a bit further and look at Azure AD conditional access (Intune) combined with SharePoint Online.

One note. Please be aware that when using Intune, this will take precedence over OneDrive for Business or SharePoint Online settings. Good to take that into consideration.

Scenario

Part 1 – Conditional access for web browsers

First off, I will set the web browser access. To do this, you need to do the following:

1. Open the Azure portal and go to Azure Active Directory | Conditional access;
2. Click New policy, you will now create a new policy. Use these details:
   • Users and groups: enter specific users or groups for which this policy applies. Exclude any users/groups which should not have this policy assigned;
   • Cloud apps: here you select Office 365 SharePoint Online;
   • Condition: here you only select Client apps | Browser;
   • Leave Access controls empty;
   • Session: here you check-mark the option “Use app enforced restrictions (preview)”.
3. When all details have been entered, enable the policy and save it. It will come into effect straight away.

Part 2 – Conditional access for apps and desktop

The second policy we need to define is for mobile apps and desktop clients. This is basically the same as the first policy.

1. Open the Azure portal and go to Azure Active Directory | Conditional access
2. Click New policy, you will now create a new policy. Use these details:
   • Users and groups: enter specific users or groups for which this policy applies. Exclude any users/groups which should not have this policy assigned;
   • Cloud apps: here you select Office 365 SharePoint Online;
   • Condition: here you only select Client apps | Mobile apps and desktop clients;
   • For Access controls you will need either one of these options:
     1. Require device to be marked as compliant;
     2. Require domain joined.
   • The Session is left empty.
3. When all details have been entered, enable the policy and save it. It will come into effect straight away.

Part 3 – SharePoint specific

These two policies now determine that mobile apps and desktop clients assessing my SharePoint environment need to comply. But the web browser clients are handled by SharePoint itself.

And to configure this you go to the SharePoint admin center | access control.

To block the downloading of content using a web browser on a non-compliant device, I select the option Allow limited access | Block downloading. This will affect all SharePoint sites and Office Groups, but will take some minutes to come into effect.  See the end of this blog for more information.

Seeing it in action

Using a Windows 7 machine with Google Chrome, I go to an Office Group. And to show you what will happen, I have included a “before” and “after” picture. Please note that prior to the policy coming into effect, I could open the document in Word and download it. These options are no longer available. Also note the text and the top.

Of course these policies also extends to the Office web applications and non-Windows environments. Like, for example, opening the site on an iPhone.

And ….

Open Windows PowerShell ICE using administrator privileges.

Import the SharePoint Online powershell module. My version was dated augustus 2017.

Import-module ‘C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell’ -Verbose

Then connect to your SharePoint Online admin environment.

Connect-SPOService -url <your_sharepoint_admin_url>

Now you are connected.

To set the conditional access for a site collection, you can use this cmdlet:

Set-SPOSite -Identity <your_sharepoint_sitecollection> -ConditionalAccessPolicy AllowLimitedAccess

AllowLimitedAccess is to enable to web-only restrictions.  BlockDownloadOfNonViewableFiles stops people from downloading other files as well.

Unfortunately, this is where the road stopped for me.

I got a PowerShell error, probably because the feature has not been rolled out to my tenant yet. But no matter, I will keep trying this anyway. When I got it up and running, I will add this to the blog.

But, all said and done, I do like the conditional access features thus far. Like many other people I am very interessted to see this access working on a site collection level. I will keep you posted on that.