Advanced conditional access rules

Posted by

As many people know, there are different ways to control access for SharePoint Online and OneDrive for Business. In this case, I’m talking about managing access for unmanaged or non-compliant devices. This has been possible for quite some time. At first, you could set this on a SharePoint Online tenant level.

This setting allows you to set a default that works for all SharePoint Online site-collections (including those connected to Microsoft Teams) and OneDrive for Business.

When you enable this setting to limit access to the environment, two specific Azure AD Conditional Access rules will be created for you. One policy will block all access to SharePoint Online and OneDrive for Business from clients on unmanaged devices. The other will use a concept called app-enforced restrictions for access from a web browser.

When these Azure AD Conditional Access rules have been applied, then this is the result when using a web browser on an unmanaged device.

Sometime later, Microsoft allowed us to set specific conditional access rules for specific site-collections. To make a long story short: you can have some site-collections that don’t allow access from unmanaged devices, but also some that allow only web-based access. These options also made it to the sensitivity labels you can place on SharePoint Online site-collections and Microsoft Teams “teams”. This allowed us to set the app-enforced restrictions one level deeper.

Three levels

As you can see in the screenshots above, these settings have basically three levels. You can either set access to allow full access, web-only access, or block the access altogether. And this is using the standard Microsoft 365 E3 features. If you want to use Microsoft Defender for Cloud Apps, then you’ve got a lot of additional options. But in this article, I want to focus on the default and ways to adjust one of these levels.

Site-collection properties

Before I do, let’s delve somewhat deeper into conditional access for specific site-collections. The way this works is by using the attributes of the site-collection. Any SharePoint Online site-collection has different attributes. Settings you can adjust on this level are stored in these attributes. Aspects like guest access or external sharing settings. And the settings for conditional access (and the settings from the sensitivity labels) are stored here as well.

You can access these attributes using the PowerShell cmdlet Get-sposite <url> | format-list.

Conditonal access attributes

As you can see in this screenshot, any site-collection has an attribute called ConditionalAccdessPolicy and by default, this will have the AllowFullAccess enabled. When you change the conditional access rules (as described above) either on the tenant level or by using sensitivity labels or using PowerShell, this attribute is changed. But as you can see, there are more attributes. And these change the behavior of conditional access for the sit-collection.

Sometimes a use-case requires more options than just full, limited, or no access at all. For example: when collaborating with external parties, you might require these parties to download specific types of files, even on unmanaged devices. When your organization is prepared to accept this potential risk, you can look at additional attributes.

Using PowerShell, we can set additional attributes for conditional access. These attributes only work for the AllowLimitedAccess option. You know the option which displays the yellow bar at the top of the SharePoint Online site. We need PowerShell because these options are not available in any GUI at this moment.

First of all, we need the following PowerShell cmdlet:

Set-SPOSite -Identity https://<SPO>/sites/<site&gt; -ConditionalAccessPolicy AllowLimitedAccess ><advanced option>

The advanced options are:

  • Disallow editing of Office documents: -AllowEditing $false
  • Only preview Office documents: -LimitedAccessFileType OfficeOnlineFilesOnly
  • Preview all documents, when possible: -LimitedAccessFileType WebPreviewableFiles
  • Enable download of files which cannot be opened in a webbrowser: -LimitedAccessFileType OtherFiles

All of these options work on the site-collection level. This allows you to have some more flexibility within your SharePoint Online/OneDrive for Business environment. There is one more setting, which works on the tenant level:

Set-SPOTenant -ApplyAppEnforcedRestrictionsToAdHocRecipients $false

This setting works for documents that have been shared with an external recipient. The recipient needs to open the document with the one-time passcode he/she has received in the e-mail. When doing so, the conditional access rules set on the site-collection or tenant level will be disregarded and the document can be downloaded. Even on an unmanaged or non-compliant device.

Wrapping up

As with a lot of functions within Microsoft 365, there’s more than meets the eye. In this case, conditional access rules can be modified slightly by using PowerShell cmdlets. In a future blog, I’ll also delve into other such cmdlets for information protection. For now, I hope this makes sense.


  1. Hi Albert, Were you able to apply the conditional access to single SharePoint site? I applied it using the PowerShell command, I see that the properties are updated, however even after 24 hours there is no change in the site’s behavior
    Any suggestions?

    1. Hi there Abhijeet,

      Do you also have the Azure AD Conditional Access policy set? You will need at least one of these (App Enforced) policies for these rules to work. You can also try to set conditional access on the tenant level (SP Admin center) and test this out. If that works, you can disable these tenant level settings and work with the separate policies.

      And also make sure that the device you’re testing with will trigger the CA policy 🙂

      Hope this helps!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s