Conditional Access / Intune / Security / SharePoint Online

Conditional access for site-collections in SharePoint Online

Posted by

In one of my previous blogs I explained how you can use Intune and SharePoint Online together. The blog ended with me being somewhat annoyed by the fact that I couldn’t get the site-collection based conditional access working.

In the meantime, Microsoft has released a new version of the SharePoint Online PowerShell management shell and after importing the new cmdlets: it works!

Just follow the steps in the previous blog (at the end), and you will notice that you can set a conditional access policy based on one or more specific site collections.

This is the cmdlet involved:

Set-SPOSite -Identity <your site-collection URL> -ConditionalAccessPolicy AllowLimitedAccess

Which will modify your site-collection like this:

after

If you want to disable the conditional access, run this cmdlet:

Set-SPOSite -Identity <your site-collection URL> -ConditionalAccessPolicy AllowFullAccess

And your site-collection will not be protected by a conditional access policy.

before

Great stuff!!

9 comments

  1. I’m missing the part where you can create your own policies or select them from the Azure AD policies

    Reply
  2. Pingback: Ignite 2018 update – consistent labels – Albert Hoitingh's Blog

  3. can we apply the same conditional access for subsites (i am getting an error in powershell “The managed path is not a managed path in this tenant)

    Reply

    1. Hi there,

      No. As far as I’m aware, this function only works for site-collections. Site-collections have been a best-practise by Microsoft for some time. Although there’s still a lot of subsites in use.

      Reply

  4. Hello Albert, is it possible to give a full access to a site collection only for some users not all?

    Reply

    1. Hi there,

      Sorry about the late reply. It depends on what you consider “Full access”. SharePoint has multiple levels of access. On the highest level you have the site-collection owner and site-collection administrators. On the site-level you have the site-owner. A site-owner has full-access to the site, but does not have access to the site-collection options.

      These are the options you can configure in SharePoint.

      For conditional access, you can configure the policy to work for specific users or for the entire organisation.

      Hope this helps.

      Reply
  5. Pingback: Authentication Context and SharePoint Online – Modern Work & Security
  6. Pingback: Authentication Context and SharePoint Online - Tech Daily Chronicle

Leave a comment