Close Menu
Peter Klapwijk – In The Cloud 24-7Peter Klapwijk – In The Cloud 24-7
    Facebook X (Twitter) Instagram
    Peter Klapwijk – In The Cloud 24-7Peter Klapwijk – In The Cloud 24-7
    • Home
    • Intune
    • Windows
      • Modern Workplace
    • macOS
    • Android
    • iOS
    • Automation
      • Logic Apps
      • Intune Monitoring
      • GitHub
    • Security
      • Passwordless
      • Security
    • Speaking
    • About me
    Peter Klapwijk – In The Cloud 24-7Peter Klapwijk – In The Cloud 24-7
    Home»Intune»Secure SharePoint Online data
    Intune

    Secure SharePoint Online data

    Peter KlapwijkBy Peter KlapwijkSeptember 7, 2018Updated:December 3, 201914 Mins Read

    In this blog post I will show you how to secure access to your SharePoint Online data with just a few simple settings. I will show you how to block apps that don`t use modern authentication, so we can enforce multi-factor authentication. I will also show you how to only allow full access to your SharePoint Online data using managed devices.

    Require modern authentication

    One of our company requirements is to allow external access to company data from an external location, only when multi-factor authentication (MFA) is enabled. To succesfully use MFA, an application must support modern authentication. For that reason we want to block all applications that don`t support modern authentication.

    To block those applications to access SharePoint Online, we only need to set one setting in the SharePoint Admin Center. In the SharePoint Admin center navigate to Access control. Check Block under Apps that don`t use modern authentication and click OK to save your settings. This is all it takes to block apps that don`t use modern authentication.
    As you may have noticed, on the same page you are able to only allow access to SharePoint Online based on IP addresses.

    SharePoint Admin center

    Access control

    Conditional access policies

    To control access to your SharePoint Online data we can use conditional access policies. With conditional access policies we are able to control if access to your data is allowed using unmanaged devices (is the device Azure AD joined or compliant). When we do allow access, we have the option to only allow limited access through a web browser.
    To use those conditional access policies, we need a subscription to Enterprise Mobility & Security (EMS).
    When you have purchased an EMS subscription and navigate to Access control you see we have an extra option. Under Unmanaged devices we are able to choose Allow full access, Allow limited or Block access. I will check Allow limited, web-only access. This will allow the users to access company data using any devices, but they are not able to sync, download or print the data.
    Notice that when you set access to limited or block, Apps that don`t use modern authentication is automatically set to Block.

    SharePoint Admin center

    Setting these two options, results in the background that two Conditional access policies are created.
    Move over to the Azure portal to see what happened in the background. Navigate to Azure Active Directory, Conditional Access, Policies. Here you see two newly created policies, both starting with [SharePoint admin center].

    Conditional Access policies

    Your subtitle here

    The first policy, Block access from apps on unmanaged, is assigned to All Users and the cloud app Office 365 SharePoint Online is targeted.


    Conditional Access policies

    Under conditions, Client apps is set to Mobile apps and destop clients.


    Conditional Access policies

    The access control is set to Grant, but it requires one of the conditions; Compliant or Azure AD joined.
    In short; access to SharePoint Online is granted when using a mobile or desktop application, which is running on a managed devices.


    Conditional Access policies

    The second policy, User app-enforced Restriction for browser access, is also assigned to All users and SharePoint Online, but the client app is set to Browser.


    Conditional Access policies

    Access control is set to Use app enforced restrictions.
    In short; access to SharePoint online using a browser is granted, but with some restrictions.


    Conditional Access policies

    Your e

    End-user experience

    Now let`s have a look at the end-user experience.
    When using an unmanaged device to access SharePoint Online data, the user is able to access the data, but with some restrictions. At the top of the SharePoint page a message is shown with the explanation about the restriction. It also explains what the user needs to do to use those options (use a device that`s joined to a domain or marked compliant).


    End-user Experience

    When opening a SharePoint document the same message is shown.


    End-user Experience

    Your subtitle here

    In a next blog post I will go further in securing SharePoint data. In that article I will show how to use Office 365 labels, DLP Policies and Information Protection

    Azure AD EMS Intune Microsoft 365 Office 365 Security SharePoint Online
    Share. Facebook Twitter LinkedIn Email WhatsApp
    Peter Klapwijk
    • Website
    • X (Twitter)
    • LinkedIn

    Peter is a Security (Intune) MVP since 2020 and is working as Modern Workplace Engineer at Wortell in The Netherlands. He has more than 15 years of experience in IT, with a strong focus on Microsoft technologies like Microsoft Intune, Windows, and (low-code) automation.

    Related Posts

    Free online courses for Microsoft 365, Azure and Dynamic 365

    December 15, 2018

    Deploy Win32 apps with Microsoft Intune

    November 1, 2018

    Specify preferred Azure AD Domain with Intune

    August 7, 2018
    View 1 Comment

    1 Comment

    1. Zubair on October 19, 2020 10:35

      Thank you so much for your so nice explanations. I did the same as you defined, hopefully it will get my goals.
      Again thank you so much you helped me a lot.

      Reply
    Leave A Reply Cancel Reply

    Peter Klapwijk

    Hi! Welcome to my blog post.
    I hope you enjoy reading my articles.

    Hit the About Me button to get in contact with me or leave a comment.

    Awards
    Sponsor
    Latest Posts

    Update Windows Defender during Windows Autopilot enrollments

    May 16, 2025

    Hide the “Turn on an ad privacy feature” pop-up in Chrome with Microsoft Intune

    April 19, 2025

    How to set Google as default search provider with Microsoft Intune

    April 18, 2025

    Using Windows Autopilot device preparation with Windows 365 Frontline shared cloud PCs

    April 13, 2025
    follow me
    • Twitter 4.8K
    • LinkedIn 6.1K
    • YouTube
    • Bluesky 1.5K
    Tags
    Administrative Templates Android Automation Autopilot Azure Azure AD Browser Conditional Access Edge EMS Exchange Online Feitian FIDO2 Flow Google Chrome Graph Graph API Identity Management Intune Intune Monitoring iOS KIOSK Logic Apps macOS MEM MEMMonitoring Microsoft 365 Microsoft Edge Microsoft Endpoint Manager Modern Workplace Office 365 OneDrive for Business Outlook Passwordless PowerApps Power Automate Security SharePoint Online Teams Windows Windows 10 Windows10 Windows 11 Windows Autopilot Windows Update
    Copy right

    This information is provided “AS IS” with no warranties, confers no rights and is not supported by the authors, or In The Cloud 24-7.

     

    Copyright © 2025 by In The Cloud 24-7/ Peter Klapwijk. All rights reserved, No part of the information on this web site may be reproduced or posted in any form or by any means without the prior written permission of the publisher.

    Shorthand; Don’t pass off my work as yours, it’s not nice.

    Recent Comments
    • Adam on Get notified on expiring Azure App Registration client secrets
    • Peter Klapwijk on Update Windows Defender during Windows Autopilot enrollments
    • Rob van de Ven on Add a certificate to the Trusted Publishers with Intune without reporting errors
    • Carl on Update Windows Defender during Windows Autopilot enrollments
    • Peter Klapwijk on The next step in a passwordless Windows experience
    most popular

    Application installation issues; Download pending

    October 1, 2024

    Restrict which users can logon into a Windows 10 device with Microsoft Intune

    April 11, 2020

    How to change the Windows 11 language with Intune

    November 11, 2022

    Update Microsoft Edge during Windows Autopilot enrollments

    July 9, 2024
    Peter Klapwijk – In The Cloud 24-7
    X (Twitter) LinkedIn YouTube RSS Bluesky
    © 2025 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.

    Manage Cookie Consent
    To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
    Functional Always active
    The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
    Preferences
    The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
    Statistics
    The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
    Marketing
    The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
    Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
    View preferences
    {title} {title} {title}