In this blog post I will show you how to secure access to your SharePoint Online data with just a few simple settings. I will show you how to block apps that don`t use modern authentication, so we can enforce multi-factor authentication. I will also show you how to only allow full access to your SharePoint Online data using managed devices.
Require modern authentication
One of our company requirements is to allow external access to company data from an external location, only when multi-factor authentication (MFA) is enabled. To succesfully use MFA, an application must support modern authentication. For that reason we want to block all applications that don`t support modern authentication.
To block those applications to access SharePoint Online, we only need to set one setting in the SharePoint Admin Center. In the SharePoint Admin center navigate to Access control. Check Block under Apps that don`t use modern authentication and click OK to save your settings. This is all it takes to block apps that don`t use modern authentication.
As you may have noticed, on the same page you are able to only allow access to SharePoint Online based on IP addresses.
Conditional access policies
To control access to your SharePoint Online data we can use conditional access policies. With conditional access policies we are able to control if access to your data is allowed using unmanaged devices (is the device Azure AD joined or compliant). When we do allow access, we have the option to only allow limited access through a web browser.
To use those conditional access policies, we need a subscription to Enterprise Mobility & Security (EMS).
When you have purchased an EMS subscription and navigate to Access control you see we have an extra option. Under Unmanaged devices we are able to choose Allow full access, Allow limited or Block access. I will check Allow limited, web-only access. This will allow the users to access company data using any devices, but they are not able to sync, download or print the data.
Notice that when you set access to limited or block, Apps that don`t use modern authentication is automatically set to Block.
Setting these two options, results in the background that two Conditional access policies are created.
Move over to the Azure portal to see what happened in the background. Navigate to Azure Active Directory, Conditional Access, Policies. Here you see two newly created policies, both starting with [SharePoint admin center].
The first policy, Block access from apps on unmanaged, is assigned to All Users and the cloud app Office 365 SharePoint Online is targeted.
Under conditions, Client apps is set to Mobile apps and destop clients.
The access control is set to Grant, but it requires one of the conditions; Compliant or Azure AD joined.
In short; access to SharePoint Online is granted when using a mobile or desktop application, which is running on a managed devices.
The second policy, User app-enforced Restriction for browser access, is also assigned to All users and SharePoint Online, but the client app is set to Browser.
Access control is set to Use app enforced restrictions.
In short; access to SharePoint online using a browser is granted, but with some restrictions.
End-user experience
Now let`s have a look at the end-user experience.
When using an unmanaged device to access SharePoint Online data, the user is able to access the data, but with some restrictions. At the top of the SharePoint page a message is shown with the explanation about the restriction. It also explains what the user needs to do to use those options (use a device that`s joined to a domain or marked compliant).
When opening a SharePoint document the same message is shown.
In a next blog post I will go further in securing SharePoint data. In that article I will show how to use Office 365 labels, DLP Policies and Information Protection
1 Comment
Thank you so much for your so nice explanations. I did the same as you defined, hopefully it will get my goals.
Again thank you so much you helped me a lot.