Control Access to SharePoint Online/OneDrive from unmanaged devices

In a mobile-first cloud first world the need of accessing corporate resources on unmanaged devices is rising. This is the cutting edge of managing your corporate data (keeping it safe) and give your users the freedom to be productive on any device.

With Conditional Access we can control access to corporate data (such as Exchange Online, SharePoint Online, Yammer, Delve, Teams, etc.) based on a device (health) status such as being managed or complaint. These scenarios (conditions) are based on devices being managed by your company (MDM managed). With the introduction of Session Controls, organizations are enabled to grant limited access to corporate resources without losing control on unmanaged devices.

Session controls enable limiting experience within a cloud app. The session controls are enforced by cloud apps and rely on additional information provided by Azure AD to the app about the session. The session controls is in preview and currently available for Office 365 SharePoint Online, OneDrive and Office 365 Groups.

Use case
You can block or limit access to SharePoint and OneDrive content from unmanaged devices (those which are not joined to a domain or compliant in Microsoft Intune). When you limit access, users will be able to view but not edit Office files in Office Online. The Download, Print, Sync, Open in desktop app, Embed, Move to, and Copy to buttons won’t appear in the new SharePoint and OneDrive experiences.

This is a very useful scenario for organizations which are working with BYOD scenarios. It provides a good balance of keeping your users productive on devices they like without losing your control of your corporate data.

Process flow

1. Get your Azure Active Directory Premium and Microsoft Intune subscriptions enabled;
2. Enable first release for your entire Office 365 tenant;
3. Configure Conditional Access Policy;
4. Configure Conditional Access Session Controls policy;
5. Enable Restrict SharePoint Device Access.

Pre-requisites
To do this, you need subscriptions to Azure Active Directory Premium and Microsoft Intune. In addition to use this feature, you need to enable first release in Office 365 for everyone in your organization. To learn how to do this, see Set up the Standard or First Release options in Office 365. It takes 24 hours for the switch to take effect. This feature is not available for customers with dedicated environments.

Once first release is enabled for your Office 365 organization we can

Enable Session Controls
To block access, you’ll set one policy in the Microsoft Azure portal/Microsoft Intune. To limit access (web-only access), you’ll set two policies and select a setting in the SharePoint admin center.

Go to Microsoft Azure portal and add two policies. Learn how to set conditional access policies in Azure AD.

1. Create a policy for SharePoint that applies to mobile apps and desktop clients, and allows access only from compliant or domain-joined devices.
2. Create another policy for SharePoint that applies to web browsers, and select “use app-enforced restrictions.”

You can use this control to require Azure AD to pass the device information to the cloud app. This helps the cloud app know if the user is coming from a compliant device or domain joined device. This control is currently only supported with SharePoint, OneDrive and Office 365 Groups. SharePoint uses the device information to provide users a limited or full experience depending on the device state. To learn more about how to require limited access with SharePoint, go here.

Once your Office 365 tenant is enabled for first release we can limit device access to SharePoint, OneDrive and Office 365 Groups in SharePoint Admin Center. Select “Allow limited access (web-only, without the Download, Print and Sync commands)”. For files that can’t be viewed on the web select “Block downloading”

Note: by default access to apps which don’t use modern authentication is blocked by default.

User Experience
As we excluded Office 365 SharePoint Online as cloud app from our first Conditional Access rule and configured App enforced restrictions we can open SharePoint Online in web based on unmanaged devices. The number of controls is limited to open Office files in Office Online for unmanaged devices.

The same user experience applies to OneDrive for Business, files can be viewed en edited online without being synced or downloaded on your unmanaged devices.

The user experience is not limited to Windows only, but cross platform to all other platforms and browsers.

As Conditional Access still applies to other cloud apps (such as Exchange Online, Yammer, Skype For Business, etc.) we can’t access these services on unmanaged devices.

Recap
With the introduction of Session Controls, part of Conditional Access, organizations are able to grant access to corporate resources without losing control of corporate data on unmanaged devices. Currently the user experience of unmanaged scenarios is limited compared to fully managed devices. Together with App protection policies (aka Windows Information Protection) this is another step forwards improving the user experience in unmanaged scenarios.

“Empower every person and every organization on the planet to achieve more” | Satya Nadella (CEO Microsoft). Including every device, even it’s unmanaged!

Sources
Conditional Access in Azure Active Directory
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal#session-controls

Control access from unmanaged devices
https://support.office.com/en-us/article/Control-access-from-unmanaged-devices-5ae550c4-bd20-4257-847b-5c20fb053622?ui=en-US&rs=en-US&ad=US

Set up the Standard or First Release options in Office 365
https://support.office.com/en-us/article/Set-up-the-Standard-or-First-Release-options-in-Office-365-3b3adfa4-1777-4ff0-b606-fb8732101f47#bk_preview