Why do we need to deal with unmanaged devices, and what are my options? As we all know, times are changing, and employees are working in different ways than they did some years ago. Employees are only sometimes on the corporate network anymore; they work with data in the cloud, from home, or even from personal (unmanaged) devices. If employees work from unmanaged devices, we cannot expect them to be secure since we have no control over them.

So, how do we deal with those unmanaged devices accessing our corporate data on online services such as SharePoint Online, Microsoft Teams, Exchange Online, and OneDrive? When dealing with this question, there are multiple options to consider.

Today, in this blog, we’ll use the app-enforced restrictions setting in Conditional Access to enforce limited web-only access, which is user-friendly but still effective in dealing with risks. The post will include the following sections;

• Licensing
• Managing corporate devices
• Browsers
• SharePoint and OneDrive integration with Azure B2B
• Pre-configure SharePoint Online
• Pre-configure Exchange Online
• Configure Conditional Access policies
• User Experience
• Wrap up

Licensing

Let’s start with some basic licensing requirements:

• Azure Active Directory Plan 1 license for implementing Conditional Access policies.
• Microsoft Intune license for managing corporate devices and compliance policies.
• SharePoint Online and Exchange Online license for users accessing the company data.

Luckily, even small business companies can use these features because these licenses are all included in the Microsoft 365 Business Premium subscription.

Managing corporate devices

Now, let’s ensure Microsoft Intune is properly managing our corporate devices; otherwise, we cannot separate unmanaged from managed devices, and our limited access policies will apply to all devices.

You can verify this by following these steps;

1. Go to Microsoft Entra admin center and navigate to Devices > All Devices.
2. Verify that all corporate devices are;
   • Azure AD joined, or Hybrid Azure AD joined.
   • Managed by Microsoft Intune.
   • Compliant with Compliance Policies.

Lastly, let’s search for Azure AD-registered devices managed by Microsoft Intune.

3. Click on Add Filter and use the “Join Type” and “MDM” filters to check for any “Azure AD Registered” devices that Microsoft Intune manages.

Some companies choose to actively manage corporate devices that are “Azure AD Registered” devices. Based on my experience, though, most of the time, these devices should not be on this list. They are “Personal” devices that were accidentally or intentionally enrolled in Microsoft Intune by the user, or they are “Corporate” devices that have been improperly installed and configured by IT personnel.

To prevent these personal devices from becoming Intune-managed, we must disable personal device enrollments. I wrote a quick and easy guide for you on how to disable personal device enrollments by configuring enrollment restrictions in Microsoft Intune.

Browsers

Before implementing the Conditional Access policies, it is important to understand that Microsoft 365 can only determine if a device is managed and compliant if the sign-in happens from a managed browser. If the user signs in using Microsoft Edge, there won’t be any issues. However, if they use Google Chrome or Firefox, it can still work, but you need to either install the “Windows Accounts” extension for Google Chrome or enable Single Sign-On for Mozilla Firefox. You can find my quick guide on how to enable this here.

SharePoint and OneDrive integration with Entra ID B2B

Before starting, we should determine whether the policies should apply to guest and member accounts. Even if you decide not to use the policies for guests, you shouldn’t skip this step.

This may seem strange, but there’s a reason for it. When someone shares a file, folder, or site with a guest in SharePoint and OneDrive, they do NOT automatically receive an Entra ID B2B guest account. As a result, you won’t be able to enforce Conditional Access policies on them. To resolve this issue, you can enable the SharePoint and OneDrive integration with Entra ID B2B.

Simply download and connect to the SharePoint Online Management Shell and use the following cmdlet;

By making this change, an Entra ID B2B account will be created for guests automatically whenever they access SharePoint and OneDrive links in the future. Users won’t have to reshare anything unless a sharing link is used that was created by a user who no longer exists. This change will not only allow you to enforce Conditional Access policies on these guests but they will also no longer require a Microsoft account. (read more about the integration here)

This change becomes especially important if you decide to exclude guests from the limited access policies. If you don’t do this, SharePoint and OneDrive guests will be impacted by your conditional access policy, as you won’t be able to exclude these types of guests. You can read more about the integration here.

Pre-Configure SharePoint Online

Follow these steps to pre-configure SharePoint Online (also OneDrive and MS Teams) to be able to handle app-enforced restrictions within Conditional Access Policies;

1. Go to the SharePoint Admin Center, navigate to Policies, and click on Access Control.
2. Click on the Unmanaged Devices setting.

3. Select the Allow limited, web-only access setting.
4. Click Save.

Optional: If you prefer doing this with PowerShell (the outcome is the same), you can use the cmdlet and parameter below.

This change creates two Conditional Access policies, which we can find inside the Microsoft Entra Admin Center.

5. Go to Microsoft Entra Admin Center and navigate to Protect and Secure > Conditional Access
6. Go to Policies and notice the newly created Conditional Access policies.
7. Now, we will click on both policies individually and turn them Off for now. (we will come back to those later)

We are turning off the policies to prevent them from affecting our users, as we want to make some policy changes first. Do not try to create the “Use app-enforced restrictions for browser access” policy manually without changing the setting within the SharePoint Admin Center because the policy won’t take effect. Also, do not delete the Conditional Access policies; otherwise, you must recreate them by flipping the switch off and on within the SharePoint Admin Center.

I think Microsoft is making these steps unnecessarily complex, but we will have to deal with it for now.

Pre-Configure Exchange Online

Follow these steps to pre-configure Exchange Online to be able to handle app-enforced restrictions within Conditional Access Policies;

1. Connect to the Exchange Online Management Shell.
2. Use the following cmdlet to check if the feature has been turned on. (by default, it is turned off)

3. Use the following cmdlet to turn the feature on.

4. Repeat step 2 to check if the feature has been correctly enabled. (it should say read-only now)

After turning the feature on, we can now configure the Conditional Access Policies.

Configure Conditional Access Policies

First, let me explain what these policies do before we configure them.

Block access from apps on unmanaged devices: This policy blocks desktop app access to Exchange Online and SharePoint Online for users who work with unmanaged devices. Some examples of ways this policy can impact the user experience are;

• Users can no longer synchronize OneDrive and SharePoint sites with the OneDrive client from unmanaged devices.
• Users cannot sign in to Office apps like Word, Excel, and PowerPoint from unmanaged devices.

Use-app-enforced restrictions for browser access: This policy limits how users can work with Exchange Online and SharePoint Online from browsers. Some examples of ways this policy can impact the user experience are; 

• Users cannot download attachments or print or sync files from unmanaged devices.
• Users working from un-supported browsers (see earlier paragraph) on managed devices will experience the same limited access controls as those on unmanaged devices.
• SharePoint sites with custom web parts or images won’t display for users on unmanaged devices. I’ve even seen some cases of sites relying on certain web parts that would completely deny access to the user. However, there is a workaround! You can exempt the site assets library for a specific site using the SPList API.

Now that you know what the policies do, let’s configure them by following these steps;

1. Go to Microsoft Entra admin center and navigate to Protect and Secure > Conditional Access
2. Go to Policies.
3. Open the “[SharePoint admin center]Block access from apps on unmanaged devices” policy, and in another browser tab, open the “[SharePoint admin center]Use-app-enforced restrictions for browser access” policy.

4. Make changes to the Conditional Access policies as described in the tables below.

Please note that these are my recommendations; they may not fit your company precisely, so add exclusions or make other necessary changes if that fits your company policies better.

[SharePoint admin center]Block access from apps on unmanaged devices

[SharePoint admin center]Use-app-enforced restrictions for browser access

Now, prepare to turn on the policy. I recommend testing and scoping the policies to pilot users before implementing them company-wide. This way, you can make the necessary changes that fit your company.

User Experience

Lastly, let me show you some visual examples of the user experience on the web after implementing the “Use-app-enforced restrictions for browser access” Conditional Access policy.

Wrap up

To wrap up this post, the app-enforced restrictions setting in Conditional access is an effective approach to reduce security risks associated with unmanaged devices. While the configuration process may be slightly complex in comparison to session policies, this method is accessible to small businesses with the Microsoft Business Premium license. In contrast, session policies are only available within the Microsoft 365 E3 license.

Limited Access with Conditional Access for Unmanaged Devices