Posted by I’ve included a small video to accompany this article. It’s at the bottom of the article. But you can skip the article if you want and go directly to my video.
A bit of history
Many enterprises use SharePoint Online (or Microsoft Teams and SharePoint Online) for document storage and collaboration. As these are both cloud-based platforms, any document can be accessed using any device.
Some time ago, Microsoft introduced the Unmanaged devices setting for SharePoint Online. This tenant-wide setting works with Azure AD Conditional Access. It is used to set a conditional access rule for all users and all SharePoint Online site-collections. This rule is used to set access from unmanaged devices (not [hybrid] Azure AD joined or compliant) to:
- Full access
- Web-only access (printing, downloading is not allowed)
- Blocked
Again – this was some time ago. And this setting was relatively restrictive. As it was set to the entire tenant, admins weren’t able to either apply the rule to certain site-collections or remove some of them from the policy.
This needed to change. And it did around 2017. Microsoft introduced the option for admins to set a conditional access rule based on the site-collection. I even mentioned this once 🙂 Conditional access for site-collections in SharePoint Online. The rule still contained the same levels as above, but using PowerShell an admin could set a specific rule. The settings, amongst a host of others, are stored as properties of the site-collection and can be retrieved using the PowerShell cmdlet:
Get-sposite -Identity <site-collection> -Detailed | fl
In the example above, the conditional access policy is set to Authentication Context.
So now we could set the conditional access rule for unmanaged devices based on the site-collection. This was an enhancement, although the options were still limited and at least PowerShell or a provisioning solution was required.
Labels enter the arena
In one of the more smarter moves, Microsoft decided to include the conditional access rules in the configuration for container-based sensitivity labels. Now you could have several security settings for Microsoft Teams and SharePoint Online configured into a label. Just applying the label to the Microsoft Teams environment or SharePoint Online site-collection will do the trick.
This really makes working with the policies a lot easier. But, again, the options were limited to specific device-based actions. Now the new Azure AD Authentication Context has been released in preview. And this allows us to set more options for specific site-collections and to configure this using a sensitivity label.
Authentication Context
An Authentication Context in Azure AD is a new addition to the scoping of a conditional access rule. Instead of having the conditional access rule applied directly to the SharePoint Online site-collection, the authentication context is applied (either by a label or PowerShell). By the way: the Authentication Context also works for Azure AD PIM and Microsoft Cloud App Security.
Using this context, we can now set more options. For example, redirecting users to a terms of use when accessing a specific SharePoint Online site-collection.
Sure – requiring a terms of use was already possible for Azure AD conditional access (it’s part of the controls), but not for a specific SharePoint Online site-collection. So this is one example of using an Authentication Context to set more detailed controls.
The Authentication Context itself is not to impressive 🙂 It’s a name, description, id and a checkbox to allow it to be used. You will need to have a conditional access rule which is linked to the context and one or more SharePoint Online site-collections using the context.
You can set the context to a site-collection either by using a sensitivity label or by using PowerShell. Both will do the trick. But if you want to have the context applied in “real-time” – then use PowerShell. The label functionality does require some time for the changes to propagate.
Set-sposite -Identity <site-collection> -ConditionalAccessPolicy AuthenticationContext -AuthenticationContextName <your context name>
You can check if this has worked by using this cmdlet:
Get-sposite -Identity <site-collection> | ft con*, aut*
Now you are able to test-out this new function. It is still in preview, so beware that you can “only” set 25 contexts and that a context cannot be deleted! More information can be found here: Cloud apps, actions, and authentication context in Conditional Access policy – Azure Active Directory | Microsoft Docs
Governance, Risk, Security and Compliance 