M365 services ie. SharePoint Online has some In-App Access Control settings that can be set up to block/ allow access to users in a very prescribed way. While this is a widely used method, the problem is the settings can be duplicated, ignored, or better yet, not documented. All these can bring issues and harder to troubleshoot.
Using Conditional Access Policies where possible is the key as this is an area that keeps on evolving and adding new controls so you can use them when providing access to apps and services.
The good news is,99% of these settings can be managed by Conditional Access Policies. This article is about that and how to configure the Conditional Access Policies while you have the other policies.
- SharePoint Access Control Settings
- Modeling Your Conditional Access Policy
- Idle session sign-out
- Apps that don’t use modern Authentication
- Caveat – OneDrive access restriction
- Wrapping up, What More You Can Do?
SharePoint Access Control Settings
SharePoint Admin Center > Policies > Access Control
Modeling Your Conditional Access Policy
This should ideally be applicable for All Users as we are mimicking All User policy settings in SharePoint.
about:blank
When Creating the Conditional Access Policy for the SharePoint Access controls, you need to narrow down the policy to capture only the SharePoint apps. This will cover OneDrive for Business app as well.
Target Resorce > Select Apps > Office 365 SharePoint Online
Understand your end result. GRANT or BLOCK?
In this article, I will go through the settings to make sure the end result will be a GRANT action.
Make sure to test the behavior on a Pilot user group and set it to Report-only mode to get more insights about the policy settings you need to control.
Unmanaged Devices
This simply discusses the devices that are Entra Joined or Entra Hybrid Joined status or being compliant in Microsoft Intune. While there are 3 options in the SPO setting, it can be moved to CA Policies.
🏷️Conditional Access Policy Control
Allow full access can be set without the CA Policy control
Allow Limited, web-only access can be set up with the below CA Policy control
Block Access, so any unmanaged devices will not be able to access.
People outside the organization will be affected when you use conditional access policies to block or limit access from unmanaged devices. If users have shared items with specific people (who must enter a verification code sent to their email address), you can exempt them from this policy by running the following command.Set-SPOTenant -ApplyAppEnforcedRestrictionsToAdHocRecipients $false
Idle session sign-out
🏷️Conditional Access Policy Control
Network Location
This section uses IP-based restrictions so the devices should be in the given IP range to be able to access SharePoint and OneDrive.
🏷️Conditional Access Policy Control
Make sure you have created the Trusted Locations as a prerequisite so it can be adopted in this section.
about:blank
I have marked 2 options below. If you have a specific network/s go with the last option.
Apps that don’t use modern Authentication
🏷️Conditional Access Policy Control
By now, there should be a Conditional Access Policy to BLOCK access for the clients that are not using Modern Authentication so I will not go through this section. During the policy modeling, we identified the policy will be on GRANT action. In that case, make sure you have a different Conditional Access Policy to Block all apps that are using Legacy Authentication methods.
Caveat – OneDrive access restriction
This is the only section that can’t be managed via Conditional Access Policies as there is no OneDrive for Business app within Entra. However, as a solution you can use Intune Policies to control access restrictions to OneDrive for Business service.
Wrapping up, What More You Can Do?
Now that the Conditional Access Policies are in play, you have a lot of other controls that can be adopted.
Sign-in Risk, User risk with the Entra ID Premium P2 license can be a great setting as SharePoint Online specifically can contain sensitive information.
All in all, this can be a good exercise to make sure you have all the policies for app controls managed centrally and adopt the latest control settings.
About the Author:
Shehan Perera
Cloud First mentality and passion for Microsoft technologies. An advocate of best practices. Always Learning.
I am an experienced, self-driven, and passionate individual with a proven track record over the last 17 years in different layers of Information Technology interfacing with both internal and external parties.
Shehan is one of Microsoft’s Most Valuable Professionals in the Security category, an official contributor to the Modern Endpoint Management LinkedIn group, and an avid blogger.
Reference:
Perera, S (2024). Bring Your SharePoint Online Access Control Settings to Conditional Access Policies. Available at: Bring Your SharePoint Online Access Control Settings to Conditional Access Policies – EMS Route [Accessed: 26th September 2024].
