Microsoft Entra February 15, 2023 2

How to use Conditional Access to configure limited web-only access for unmanaged devices

Why do we need to deal with unmanaged devices and what are my options to consider? As we all know, times are changing and employees are not working the same way they were doing some years ago. Employees are not always on the corporate network anymore, they are working with data in the cloud, are working from home, or even from personal (unmanaged) devices. If employees work from unmanaged devices we cannot expect those devices to be secure since we have no control over them. So how do we deal with those unmanaged devices accessing our corporate data on online services such as SharePoint Online, Microsoft Teams, Exchange Online and OneDrive? When dealing with this question there are multiple options to consider.

Some bad options are;

  • You could allow unmanaged devices and accept the risk of data loss, unauthorized access and cyberattacks. a very user-friendly option, but not effective at all dealing with risks.
  • You could allow personal devices and require them to register with Azure Active Directory so you can manage them with Microsoft Intune. I wouldn’t recommend doing this, because you simply have too much control over private devices that are not owned by you as a company. Remember that you want to manage your devices so you are able to enforce secure security policies.
  • You could also use Windows Information Protection to protect only the company data on unmanaged devices, and leave the user-data alone. Sadly, Microsoft recently has announced to deprecate WIP for Windows devices so this is no longer an option to consider. This option is still available and supported for iOS and Android devices though and is a good choice to consider, it’s also referred to as Mobile Application Management.

Some better options are;

  • You could just outright block all unmanaged devices and only allow managed devices accessing corporate data. Not a very user-friendly way to deal with this, but this can be effective.
  • You could let employees work from their personal device and have them connect to a virtualized environment like Azure Virtual Desktop or a Windows 365 Cloud PC. This way you can block unmanaged devices and still have employees work from any device they want, this is both user-friendly and effective.
  • You could also choose to give employees limited web-only access to corporate data while working from unmanaged devices, which is user-friendly but an effective way of dealing with risks.

In this blog I will guide you through the steps on how to use Conditional Access Policies to configure limited web-only access for unmanaged devices.

Preparation

Lets start off with some basic licensing requirements;

  • Azure Active Directory Plan 1 license; for implementing Conditional Access policies.
  • Microsoft Intune license; for managing corporate devices and compliance policies.
  • SharePoint Online and/or Exchange Online license; for users accessing the company data.

Since all of these are included in the Microsoft 365 Business Premium subscription and above most companies won’t have to worry about licensing.

Besides licensing lets make sure you’re corporate devices are being managed by Microsoft Intune, you can verify this by following these steps;

  1. Go to Microsoft Entra admin center and navigate to Devices > All Devices.
  2. Verify that all corporate devices are;
    • Azure AD joined or Hybrid Azure AD joined.
    • Managed by Microsoft Intune.
    • Compliant with Compliance Policies.

Lastly lets search for Azure AD registered devices that are being managed by Microsoft Intune.

  1. Click on Add Filter and use the “Join Type” and “MDM” filters to check for any “Azure AD Registered” devices that are managed by Microsoft Intune.

Some companies choose to actively manage corporate devices that are “Azure AD Registered” devices. Based on my experience though, most of the time, these devices should not have been on this list. They are either “Personal” devices that were accidentally or intentionally enrolled in Microsoft Intune by the user or they are “Corporate” devices that have been improperly installed and configured by IT personnel.

If you encounter any personal devices in this list that are “Intune Managed”, you should stop the enrollment. If you decide to ignore them, understand that the Conditional Access policies might not apply to them.

Enrollment Restrictions

If you want to prevent these personal devices becoming Microsoft Intune managed in the first place you should implement “Enrollment Restrictions”.

Follow these steps to configure them (if not skip them);

  1. Open the Microsoft Endpoint Manager admin center and navigate to Devices.
  2. Navigate to Enrollment Device platform restrictions.
  3. Click on the Windows Restrictions tab.
  4. Click on the “All Users” policy to change the “Default” (global) policy.

As an optional step, If you wish to test the policy or limit its scope to a specific set of users, click on the “Create Restriction” button to create a custom policy. Also, consider blocking device platforms that you are not actively managing at the moment. If you don’t do this you’ll run the risk of unwanted devices being managed by Microsoft Intune.

  1. Click on Properties and edit the “Platform Settings”.
  2. Select the Block option for personally owned Windows devices (and any other platforms).
  3. Click on the Review + save button and then on the save button again.

Take note that after configuring the enrollment restriction policy, administrators will need to use one of the following authorized methods to be able to enroll corporate devices;

    • Windows Autopilot
    • GPO or Configuration Manager
    • Bulk Provisioning Package
    • Administrator using an “Device Enrollment Manager Account” account

Users trying to enroll their personal device will see the following error message;

Browsers

Before implementing the Conditional Access policies, it is important to know that Microsoft 365 can only determine if a device is compliant (with device compliance policies), if the sign-in happens from a managed browser. If a user works with the Microsoft Edge browser (must be signed-in), Microsoft 365 can see that you are working from a compliant device. But what if the user works with any other browser? Now Microsoft 365 cannot check device compliance unless… You install the “Windows Accounts” extension for Google Chrome or enable Single Sign On for Mozilla Firefox. Peter van der Woude wrote a great blog about how to install the “Windows Accounts” extension in Google Chrome. (link)

SharePoint and OneDrive integration with Azure AD B2B

A last thing before we start, we should determine whether the policies should apply to both guest and member accounts. Even if you decide not to apply the policies to guests, you should not skip this step.

It’s important to note that guests in SharePoint and OneDrive do NOT automatically receive an (Azure AD B2B) guest account when someone shares a file, folder, or site with them. As Conditional Access policies can only be enforced on guests with an Azure AD B2B guest account, you should consider making this change to your environment.

SharePoint and OneDrive integration with Azure AD B2B to the rescue!

Simply download and connect to the SharePoint Online Management Shell and use the following cmdlet;

Set-SPOTenant -EnableAzureADB2BIntegration $true

Going forward, an Azure AD B2B account will be automatically created for guests accessing SharePoint and OneDrive links. Users won’t have to reshare anything, unless a sharing link is used that was created by a user who no longer exists. By making this change not only will you be able to enforce Conditional Access policies on these guests, but they will also no longer require a Microsoft account. (read more about the integration here)

Making this change becomes especially important if you plan on excluding guests from the Conditional Access policies. Implementing this change will ensure guests are not affected and can be properly excluded. It may sound strange but it is necessary due to the fact that guests with SharePoint/OneDrive links can’t have Conditional Access policies applied to them. As a result, they will be impacted by the policy due to the pre-configuration that we are performing in the next step.

Pre-Configure SharePoint Online

Follow these steps to pre-configure SharePoint Online (also OneDrive and MS Teams) to be able to handle app-enforced restrictions within Conditional Access Policies;

  1. Go to the SharePoint Admin Center and navigate to Policies and click on Access Control.
  2. Click on the Unmanaged Devices setting.
  1. Select the Allow limited, web-only access setting.
  2. Click Save.

Optional: If you prefer doing this with PowerShell (outcome is the same), you can use below cmdlet and parameter.

Set-SPOTenant -ConditionalAccessPolicy AllowLimitedAccess

The result of making this change are two Conditional Access policies being created which we can find inside Microsoft Entra Admin Center.

  1. Go to Microsoft Entra Admin Center and navigate to Protect and Secure > Conditional Access
  2. Go to Policies and notice the newly created Conditional Access policies.
  3. Now we are going to click on both policies individually, and turn them Off for now. (we will come back to those later)

The reason why we are disabling the policies is to prevent it from affecting our users as we want to make some changes to the policies first. Do not try to create the “Use app-enforced restrictions for browser access” policy manually without changing the setting within the SharePoint Admin Center, because the policy won’t take effect. Also do not delete the Conditional Access policies or else you’ll have to recreate them by flipping the switch off and on again within the SharePoint Admin Center.

In my opinion Microsoft is making these steps unnecessarily complex but for now we will have to deal with it.

Pre-Configure Exchange Online

Follow these steps to pre-configure Exchange Online to be able to handle app-enforced restrictions within Conditional Access Policies;

  1. Connect to the Exchange Online Management Shell.
  2. Use the following cmdlet to check if the feature is already turned on. (by default it is turned off)
Get-OwaMailBoxPolicy | select-object ConditionalAccess*
  1. Use the following cmdlet to turn the feature on.
Set-OwaMailBoxPolicy -Identity OwaMailboxPolicy-Default -ConditionalAccessPolicy ReadOnly
  1. Repeat step 2 to check if the feature has been correctly enabled. (it should say read-only now)

By turning the feature on we can now move on to configuring the Conditional Access Policies.

Configure Conditional Access Policies

First let me explain what these policies actually do before we configure them.

  • Block access from apps on unmanaged devices: This policy blocks desktop app access to Exchange Online and SharePoint Online for users that work with unmanaged devices. Some examples of ways this policy can impact the user experience are;
    • Users are no longer able to synchronize OneDrive and/or SharePoint-sites with the OneDrive-client from unmanaged devices.
    • Users cannot sign-in to Office apps like Word, Excel and PowerPoint from unmanaged devices.
  • Use-app-enforced restrictions for browser access: This policy limits the the way users can work with Exchange Online and SharePoint Online from browsers. Some examples of ways this policy can impact the user experience are;
    • Users are unable to download attachments, print or sync files from unmanaged devices.
    • Users working from un-supported browsers (see earlier paragraph) on managed devices will experience the same limited access controls as those on unmanaged devices.
    • SharePoint sites with custom web parts or images won’t display for users on unmanaged devices. I’ve even seen some cases of sites relying on certain webparts, that would completely deny access for the user. However, there is a workaround! you can exempt the site assets library for a specific site by using the SPList API.

Now that you know what the policies do lets configure them by following these steps;

  1. Go to Microsoft Entra admin center and navigate to Protect and Secure > Conditional Access
  2. Go to Policies.
  3. Open the “[SharePoint admin center]Block access from apps on unmanaged devices” policy and in another browser tab open the “[SharePoint admin center]Use-app-enforced restrictions for browser access” policy.
  1. Make changes to the Conditional Access policies as described in the tables below.

Please note that these are my recommendations, they may not fit your company precisely so add exclusions or make other necessary changes if that fits your company policies better.

[SharePoint admin center]Block access from apps on unmanaged devices
Name Change the policy name to something that fits your company’s naming convention.
Users Select a group of users that you want to test the policy out on before you turn the policy on company-wide. Exclude any users that you don’t want to be impacted, for example certain user groups or service-accounts.
Cloud apps or actions Add Exchange Online to the selected apps, now both SharePoint Online and Exchange Online should be selected.
Conditions Mobile Apps and Desktop clients should stay selected. Exclude any device platforms and/or locations that you don’t want to get impacted by this policy. For example iOS and Android if you aren’t managing mobile phones yet with Microsoft Intune, or exclude a specific IP-address for users working from an RDS server with Microsoft Office.
Grant U can leave both “Require Hybrid Azure AD joined device” and “Require device to be marked as compliant” option selected or choose either one of the two. For example you could have only the “Require device to be marked as compliant” option selected, this way non-compliant managed devices would have the same experience as unmanaged devices.
Session (no changes)
[SharePoint admin center]Use-app-enforced restrictions for browser access
Name Change the policy name to something that fits your company’s naming convention.
Users Select a group of users that you want to test the policy out on before you turn the policy on company-wide. Exclude any users that you don’t want to be impacted, for example make a decision if you want to include guests.
Cloud apps or actions Add Exchange Online to the selected apps, now both SharePoint Online and Exchange Online should be selected.
Conditions (no changes)
Grant (no changes)
Session (no changes)

Now prepare to turn on the policy. I would strongly recommend to test the policies, and also scope them to pilot users first before implementing them company wide. This way you can make the necessary changes that fit your company.

User Experience

To conclude this blog, let me give you some visual examples of what the user experiences are like on the web after implementing the “Use-app-enforced restrictions for browser access” Conditional Access policy.

OneDrive Web – No download, print or sync options

MS Teams Web – There is no download option anymore

Excel Web – Cannot download, print or sync options

SharePoint Online – No download, print or sync options

Exchange Online – No downloading or printing attachments

Cannot Sign-in to the OneDrive Desktop Client

Cannot Sign-in to Microsoft Office Desktop apps (including MS Teams)

How to use Conditional Access to configure limited web-only access for unmanaged devices

About the author

Myron Helgering:

2 Comments

    Would you like to share your thoughts?

    Your email address will not be published. Required fields are marked *

    Leave a Reply