Back in December 2016 I blogged about the new conditional access in Azure AD through the new Azure portal, you can read the post here: https://spanougakis.wordpress.com/2016/12/16/conditional-access-in-azuread-in-the-new-azure-portal/
The question is: do you allow your users to connect to cloud services using their personal devices? If the answer is yes, then you should consider using conditional access. Good news: we now can limit a SharePoint user’s ability to download, print and sync based on the state of their device. Microsoft Intune and Azure Active Directory conditional access provides the ability to grant or block access to resources based on device state. This helps organizations ensure content doesn’t get on to a machine that isn’t encrypted, locked, secure from malware, etc.
But the problem is that you cannot manage ALL devices. Some users would like to connect from home computers or shared machines that you cannot control. So far you had to just block access to unmanaged devices. The new feature in public preview is called “Limited Access to SharePoint and OneDrive” and gives you the option to allow access to SharePoint and OneDrive from an unmanaged device by granting browser-only access with download, print, and sync disabled. Users can stay productive, and you can be assured that when they sign off, no data is leaked onto the unmanaged device.
Let’s see how it works.
The limited browser-only access it’s a two-step process:
- First you have to create an Azure AD Conditional access policy for SharePoint that will be applied only to browser client apps with “use app enforced restrictions” as the session control:
2. Then you have to use the SharePoint Admin Center, go to device access in the SharePoint admin center and select the checkbox to “Allow limited access (web-only, without the Download, Print, and Sync commands)”:
After approximately 15 minutes, the user that connects to the SharePoint site using a non-compliant device, should see this:
Thanks for your time!