One little fact when using container based labels

Here’s a little fun-fact when using conditional access rules to manage Microsoft Teams/SharePoint Online access from unmanaged devices. Some of the functions within the document library will be effected as-well. Let me explain.

When setting a contained based label in Microsoft 365, you can define the external sharing and device access settings. The latter of these two options requires a conditional access rule in Azure AD to function. When these settings have been configured, the SharePoint Online site will act accordingly.

One of these settings is to allow limited, web-only access. This will entail that users working from an unmanaged device will be able to open documents and edit them. But downloading, printing or synching the documents will not be possible. But there’s more.

Btw: before you ask. Is this a new function? No. This has been part of the Azure AD session based conditional access policies for Office 365. But as I came across this sometime ago, I wanted to write this short blog.

Let’s say I have two different labels. The first one is called Teams public. This one is very laid back. No restrictions, external sharing is allowed and full access to the documents is granted.

The other label is more restrictive. This one is Teams confidential. Access from an unmanaged device is limited and the site/Teams environment itself cannot be shared with guests.

This is expected behavior of the labels. But just this week I noticed something I didn’t know before. I did some testing and it would appear that the setting for unmanaged devices also manages the Copy/Move actions within the site. When the more restrictive label is applied, a document cannot be moved or copied outside of the site. The menu-options are gone as-well. The more lenient label does allow the documents to copied or moved.

And what about the interface within Microsoft Teams? Well, this is a bit odd. The copy/move actions are there in the menu. And these work within the Team itself. But when your try to copy/move a document outside of the Team, you get the same result – albeit with an error-message.

Working as designed? Probably. But this will mean that the documentation on access from an unmanaged devices should be enhanced. And also, the interface from Teams should (will?) be changed as-well.