Authentication Context and SharePoint Online

Posted by

I’ve included a small video to accompany this article. It’s at the bottom of the article. But you can skip the article if you want and go directly to my video.

A bit of history

Many enterprises use SharePoint Online (or Microsoft Teams and SharePoint Online) for document storage and collaboration. As these are both cloud-based platforms, any document can be accessed using any device.

Some time ago, Microsoft introduced the Unmanaged devices setting for SharePoint Online. This tenant-wide setting works with Azure AD Conditional Access. It is used to set a conditional access rule for all users and all SharePoint Online site-collections. This rule is used to set access from unmanaged devices (not [hybrid] Azure AD joined or compliant) to:

  • Full access
  • Web-only access (printing, downloading is not allowed)
  • Blocked

Again – this was some time ago. And this setting was relatively restrictive. As it was set to the entire tenant, admins weren’t able to either apply the rule to certain site-collections or remove some of them from the policy.

This needed to change. And it did around 2017. Microsoft introduced the option for admins to set a conditional access rule based on the site-collection. I even mentioned this once 🙂 Conditional access for site-collections in SharePoint Online. The rule still contained the same levels as above, but using PowerShell an admin could set a specific rule. The settings, amongst a host of others, are stored as properties of the site-collection and can be retrieved using the PowerShell cmdlet:

Get-sposite -Identity <site-collection> -Detailed | fl

In the example above, the conditional access policy is set to Authentication Context.

So now we could set the conditional access rule for unmanaged devices based on the site-collection. This was an enhancement, although the options were still limited and at least PowerShell or a provisioning solution was required.

Labels enter the arena

In one of the more smarter moves, Microsoft decided to include the conditional access rules in the configuration for container-based sensitivity labels. Now you could have several security settings for Microsoft Teams and SharePoint Online configured into a label. Just applying the label to the Microsoft Teams environment or SharePoint Online site-collection will do the trick.

This really makes working with the policies a lot easier. But, again, the options were limited to specific device-based actions. Now the new Azure AD Authentication Context has been released in preview. And this allows us to set more options for specific site-collections and to configure this using a sensitivity label.

Authentication Context

An Authentication Context in Azure AD is a new addition to the scoping of a conditional access rule. Instead of having the conditional access rule applied directly to the SharePoint Online site-collection, the authentication context is applied (either by a label or PowerShell). By the way: the Authentication Context also works for Azure AD PIM and Microsoft Cloud App Security.

Using this context, we can now set more options. For example, redirecting users to a terms of use when accessing a specific SharePoint Online site-collection.

Sure – requiring a terms of use was already possible for Azure AD conditional access (it’s part of the controls), but not for a specific SharePoint Online site-collection. So this is one example of using an Authentication Context to set more detailed controls.

The Authentication Context itself is not to impressive 🙂 It’s a name, description, id and a checkbox to allow it to be used. You will need to have a conditional access rule which is linked to the context and one or more SharePoint Online site-collections using the context.

You can set the context to a site-collection either by using a sensitivity label or by using PowerShell. Both will do the trick. But if you want to have the context applied in “real-time” – then use PowerShell. The label functionality does require some time for the changes to propagate.

Set-sposite -Identity <site-collection> -ConditionalAccessPolicy AuthenticationContext -AuthenticationContextName <your context name>

You can check if this has worked by using this cmdlet:

Get-sposite -Identity <site-collection> | ft con*, aut*

Now you are able to test-out this new function. It is still in preview, so beware that you can “only” set 25 contexts and that a context cannot be deleted! More information can be found here: Cloud apps, actions, and authentication context in Conditional Access policy – Azure Active Directory | Microsoft Docs

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s