Conditional Access policies for SharePoint in public preview. This helps organizations ensure content doesn’t get onto a machine that isn’t encrypted, locked, secure from malware, etc.
Now you can allow access to SharePoint and OneDrive from an unmanaged device by granting browser-only access with download, print, and sync disabled. Users can stay productive, and you can be assured that when they sign off, no data is leaked onto the unmanaged device.
How it Works:
Admin experience:
Configuring limited browser-only access to SharePoint and OneDrive is an easy two-step process.
- First, create an Azure AD Conditional access policy for SharePoint that applies only to browser client apps with “use app enforced restrictions” as the session control.
NOTE: To prevent users from going around the browser policy and accessing resources from mobile and desktop applications on unmanaged devices, enable Azure AD conditional access policy. This enables access from mobile and desktop apps only from a compliant or domain-joined device.
- Next, go to device access in the SharePoint admin center and select the checkbox to “Allow limited access (web-only, without the Download, Print, and Sync commands)”
NOTE: It can take up to 15 minutes for policy changes to take effect.
End-user experience:
When accessing SharePoint and OneDrive from devices that are not compliant or domain-joined, end users will see a warning banner explaining why their experience is limited.