Bring Your SharePoint Online Access Control Settings to Conditional Access Policies

M365 services ie. SharePoint Online has some In-App Access Control settings that can be set up to block/ allow access to users in a very prescribed way. While this is a widely used method, the problem is the settings can be duplicated, ignored, or better yet, not documented. All these can bring issues and harder to troubleshoot.

Using Conditional Access Policies where possible is the key as this is an area that keeps on evolving and adding new controls so you can use them when providing access to apps and services.

The good news is,99% of these settings can be managed by Conditional Access Policies. This article is about that and how to configure the Conditional Access Policies while you have the other policies.

  1. SharePoint Access Control Settings
  2. Modeling Your Conditional Access Policy
    1. Unmanaged Devices
    2. 🏷️Conditional Access Policy Control
  3. Idle session sign-out
    1. 🏷️Conditional Access Policy Control
    2. Network Location
    3. 🏷️Conditional Access Policy Control
  4. Apps that don’t use modern Authentication
    1. 🏷️Conditional Access Policy Control
  5. Caveat – OneDrive access restriction
  6. Wrapping up, What More You Can Do?

SharePoint Access Control Settings

SharePoint Admin Center > Policies > Access Control

Modeling Your Conditional Access Policy

This should ideally be applicable for All Users as we are mimicking All User policy settings in SharePoint.

about:blank

When Creating the Conditional Access Policy for the SharePoint Access controls, you need to narrow down the policy to capture only the SharePoint apps. This will cover OneDrive for Business app as well.

Target Resorce > Select Apps > Office 365 SharePoint Online

Understand your end result. GRANT or BLOCK?

In this article, I will go through the settings to make sure the end result will be a GRANT action.

Make sure to test the behavior on a Pilot user group and set it to Report-only mode to get more insights about the policy settings you need to control.

Unmanaged Devices

This simply discusses the devices that are Entra Joined or Entra Hybrid Joined status or being compliant in Microsoft Intune. While there are 3 options in the SPO setting, it can be moved to CA Policies.

🏷️Conditional Access Policy Control

Allow full access can be set without the CA Policy control

Allow Limited, web-only access can be set up with the below CA Policy control

Block Access, so any unmanaged devices will not be able to access.

People outside the organization will be affected when you use conditional access policies to block or limit access from unmanaged devices. If users have shared items with specific people (who must enter a verification code sent to their email address), you can exempt them from this policy by running the following command.
Set-SPOTenant -ApplyAppEnforcedRestrictionsToAdHocRecipients $false

Idle session sign-out

🏷️Conditional Access Policy Control

This is a straightforward setting. Set the timing as required.

Network Location

This section uses IP-based restrictions so the devices should be in the given IP range to be able to access SharePoint and OneDrive.

🏷️Conditional Access Policy Control

Make sure you have created the Trusted Locations as a prerequisite so it can be adopted in this section.

about:blank

I have marked 2 options below. If you have a specific network/s go with the last option.

Apps that don’t use modern Authentication

🏷️Conditional Access Policy Control

By now, there should be a Conditional Access Policy to BLOCK access for the clients that are not using Modern Authentication so I will not go through this section. During the policy modeling, we identified the policy will be on GRANT action. In that case, make sure you have a different Conditional Access Policy to Block all apps that are using Legacy Authentication methods.

Caveat – OneDrive access restriction

This is the only section that can’t be managed via Conditional Access Policies as there is no OneDrive for Business app within Entra. However, as a solution you can use Intune Policies to control access restrictions to OneDrive for Business service.

Wrapping up, What More You Can Do?

Now that the Conditional Access Policies are in play, you have a lot of other controls that can be adopted.

Sign-in Risk, User risk with the Entra ID Premium P2 license can be a great setting as SharePoint Online specifically can contain sensitive information.

All in all, this can be a good exercise to make sure you have all the policies for app controls managed centrally and adopt the latest control settings.

About the Author:

Shehan Perera

Cloud First mentality and passion for Microsoft technologies. An advocate of best practices. Always Learning.
I am an experienced, self-driven, and passionate individual with a proven track record over the last 17 years in different layers of Information Technology interfacing with both internal and external parties.
Shehan is one of Microsoft’s Most Valuable Professionals in the Security category, an official contributor to the Modern Endpoint Management LinkedIn group, and an avid blogger.

Reference:

Perera, S (2024). Bring Your SharePoint Online Access Control Settings to Conditional Access Policies. Available at: Bring Your SharePoint Online Access Control Settings to Conditional Access Policies – EMS Route [Accessed: 26th September 2024].

Share this on...

Rate this Post:

Share: