Microsoft Intune and Azure Active Directory conditional access provides the ability to grant or block access to resources based on device state. This helps organizations ensure content doesn’t get on to a machine that isn’t encrypted, locked, secure from malware, etc. This is an important aspect of securing company data. Unfortunately, not all devices can be managed. Sometimes people need to work from home computers, personal devices, or shared machines that aren’t enrolled.

Now you can allow access to SharePoint and OneDrive from an unmanaged device by granting browser-only access with download, print, and sync disabled. Users can stay productive, and you can be assured that when they sign off, no data is leaked onto the unmanaged device.

How it Works

Admin expirience:

Configuring limited browser-only access to SharePoint and OneDrive is an easy two-step process. See our limited access documentation for more detailed instructions.

  1. First create an Azure AD Conditional access policy for SharePoint that applies only to browser client apps with “use app enforced restrictions” as the session control.

  Tip: To prevent users from going around the browser policy and accessing resources from mobile and desktop applications on unmanaged devices, we recommend enabling Azure AD conditional access policy. This enables access from mobile and desktop apps only from a compliant or domain joined device.

  1. Next, go to device access in the SharePoint admin center and select the checkbox to “Allow limited access (web-only, without the Download, Print, and Sync commands)”

Note:  It can take up to 15 minutes for policy changes to take effect.

End user experience:

When accessing SharePoint and OneDrive from devices that are not compliant or domain joined, end users will see a warning banner explaining why their experience is limited.