As many people know, there are different ways to control access for SharePoint Online and OneDrive for Business. In this case, I’m talking about managing access for unmanaged or non-compliant devices. This has been possible for quite some time. At first, you could set this on a SharePoint Online tenant level.
This setting allows you to set a default that works for all SharePoint Online site-collections (including those connected to Microsoft Teams) and OneDrive for Business.
When you enable this setting to limit access to the environment, two specific Azure AD Conditional Access rules will be created for you. One policy will block all access to SharePoint Online and OneDrive for Business from clients on unmanaged devices. The other will use a concept called app-enforced restrictions for access from a web browser.
When these Azure AD Conditional Access rules have been applied, then this is the result when using a web browser on an unmanaged device.
Sometime later, Microsoft allowed us to set specific conditional access rules for specific site-collections. To make a long story short: you can have some site-collections that don’t allow access from unmanaged devices, but also some that allow only web-based access. These options also made it to the sensitivity labels you can place on SharePoint Online site-collections and Microsoft Teams “teams”. This allowed us to set the app-enforced restrictions one level deeper.
As you can see in the screenshots above, these settings have basically three levels. You can either set access to allow full access, web-only access, or block the access altogether. And this is using the standard Microsoft 365 E3 features. If you want to use Microsoft Defender for Cloud Apps, then you’ve got a lot of additional options. But in this article, I want to focus on the default and ways to adjust one of these levels.
Before I do, let’s delve somewhat deeper into conditional access for specific site-collections. The way this works is by using the attributes of the site-collection. Any SharePoint Online site-collection has different attributes. Settings you can adjust on this level are stored in these attributes. Aspects like guest access or external sharing settings. And the settings for conditional access (and the settings from the sensitivity labels) are stored here as well.
You can access these attributes using the PowerShell cmdlet Get-sposite <url> | format-list.
Conditonal access attributes
As you can see in this screenshot, any site-collection has an attribute called ConditionalAccdessPolicy and by default, this will have the AllowFullAccess enabled. When you change the conditional access rules (as described above) either on the tenant level or by using sensitivity labels or using PowerShell, this attribute is changed. But as you can see, there are more attributes. And these change the behavior of conditional access for the sit-collection.
Sometimes a use-case requires more options than just full, limited, or no access at all. For example: when collaborating with external parties, you might require these parties to download specific types of files, even on unmanaged devices. When your organization is prepared to accept this potential risk, you can look at additional attributes.
Using PowerShell, we can set additional attributes for conditional access. These attributes only work for the AllowLimitedAccess option. You know the option which displays the yellow bar at the top of the SharePoint Online site. We need PowerShell because these options are not available in any GUI at this moment.
First of all, we need the following PowerShell cmdlet:
Set-SPOSite -Identity https://<SPO>/sites/<site> -ConditionalAccessPolicy AllowLimitedAccess ><advanced option>
The advanced options are:
- Disallow editing of Office documents: -AllowEditing $false
- Only preview Office documents: -LimitedAccessFileType OfficeOnlineFilesOnly
- Preview all documents, when possible: -LimitedAccessFileType WebPreviewableFiles
- Enable download of files which cannot be opened in a webbrowser: -LimitedAccessFileType OtherFiles
All of these options work on the site-collection level. This allows you to have some more flexibility within your SharePoint Online/OneDrive for Business environment. There is one more setting, which works on the tenant level:
Set-SPOTenant -ApplyAppEnforcedRestrictionsToAdHocRecipients $false
This setting works for documents that have been shared with an external recipient. The recipient needs to open the document with the one-time passcode he/she has received in the e-mail. When doing so, the conditional access rules set on the site-collection or tenant level will be disregarded and the document can be downloaded. Even on an unmanaged or non-compliant device.
As with a lot of functions within Microsoft 365, there’s more than meets the eye. In this case, conditional access rules can be modified slightly by using PowerShell cmdlets. In a future blog, I’ll also delve into other such cmdlets for information protection. For now, I hope this makes sense.