If you’ve read my earlier blog post, you know that Conditional Access can also enforce limited web-only access for unmanaged devices. However, if you don’t want these restrictions to apply to all corporate data and instead want to protect specific locations with sensitive or business-critical information, enforcing limited web-only access with Sensitivity Labels could be the solution. Identifying which locations to protect may be challenging, but Sensitivity Labels can help make these access controls more user-friendly and targeted.
This blog will include the following sections;
In this blog post, I will guide you through the steps and share my experience on how to use Sensitivity Labels to configure limited web-only access for unmanaged devices.
Let’s start with some basic licensing requirements;
Most companies won’t have to worry about licensing as long as they have a Business Premium or M365 E3 subscription, as these subscriptions are sufficient to cover all the licensing requirements.
Then, for some recommendations, I would like to ask you the following questions;
I recommend reading my previous post if you have any concerns about the above. It includes more information on how to deal with these concerns and can provide you with a better understanding of how the app-enforced restrictions setting works.
To get started, make sure that you have enabled support for Sensitivity Labels specifically for containers. If you haven’t enabled this feature, you won’t be able to create Sensitivity Labels for your SharePoint Sites and Microsoft Teams. You can refer to my quick guide for a step-by-step process on how to enable this feature.
Let’s move on to the most important part of this post, which is configuring the Sensitivity Label. This label can be applied to specific SharePoint or team sites to enforce limited web-only access for unmanaged devices.
Follow these steps to configure the Sensitivity Label;
Optional: You can also create a sub-label if you already use sensitivity labels.
Optional: Enter a Description for admins or Label color.
Do not apply the Sensitivity Label to SharePoint sites yet; we need to do some additional configuration.
Before we proceed further, let’s verify the status of our tenant-wide SharePoint Online access control setting first. Download and connect to the SharePoint Online Management Shell and use the following cmdlet;
Get-SPOTenant | Select-Object -ExpandProperty ConditionalAccessPolicy |
When AllowLimitedAccess or BlockAccess appears in the output, it means that the global setting for enforcing app restrictions with conditional access policies is configured to limit or block access to unmanaged devices.
On the other hand, if you see AllowFullAccess in the output, it means that our conditional access policies are not restricting access to SharePoint sites by default, unless we apply a Sensitivity Label to them. This is the expected output, unless the setting has been modified in the past.
Make sure that the global setting is set to be less restrictive than what you define in your Sensitivity Labels. Otherwise, the labels will not enforce more restrictive access controls.
To change the setting back to AllowFullAccess, use the following cmdlet;
Set-SPOTenant -ConditionalAccessPolicy AllowFullAccess |
Let me first explain the function of the Conditional Access policy we’re about to set up. This policy will apply to users who sign in to SharePoint Online, but the restrictions will only take effect if all of the following conditions are met;
If the restrictions take effect, users cannot download attachments, print or sync files, or access files through desktop apps such as Microsoft Office.
Now that you know what the policy does, let’s configure it by following these steps;
Name | Give the policy a name that fits your company’s naming convention. |
Users | Select a group of users to apply the policy to. |
Cloud apps or actions | Select the SharePoint Online cloud app. |
Conditions | {empty} |
Grant | {empty} |
Session | Select the Use app enforced restrictions setting. |
You can safely turn on the policy now because the app-enforced restrictions will only take effect once we apply Sensitivity Labels to SharePoint or Microsoft team sites.
Next, we will create a Sensitivity Label policy; this way, we can decide who can label sites or teams.
Optional: If you already have existing label policies, you can add your newly created label to one.
Note: If it’s part of your governance strategy to let users create sites and teams themselves, you may need to push these labels to all (or most) users. If only admins or key users are allowed to create sites and teams, then you can publish them to a specific group.
Optional: If you want, you can set the newly created label as the default label or require users to apply a label to their groups or sites. These options are better used when dealing with multiple labels under a label policy, so I wouldn’t recommend using these if your goal is to label the sites yourself.
Optional: Enter a Description for your policy.
Now that the policy has been created, users can apply labels when creating a site or team. Please note that it can take up to 24 hours for labels to show up, so you must be patient.
If you, as an admin, want to label existing teams or sites, it is required for you to have one of the following roles or permissions assigned;
Follow these steps to apply the label by using the SharePoint Admin Center.
We can also use PowerShell to apply labels to multiple sites at once, which can be more efficient than applying labels to sites individually.
If a user is a member of the sensitivity label policy, they can label sites and teams now. If users cannot create sites or teams, you should check if the creation of sites or teams is enabled for them.
When creating a new team in Microsoft Teams, the user has the option to select the Sensitivity Label for the team.
When creating a new site in SharePoint Online, the user has the option to select the Sensitivity Label for the site.
If we look at the team site after applying the label, we will notice a yellow bar at the top of the page indicating that our site is now protected, and users cannot download, print, or sync using unmanaged devices.
Users attempting to access the content from a desktop app, such as MS Word, on an unmanaged device will be unable to access these resources.
To wrap up this post, consider using Sensitivity Labels to enforce limited web-only access, but only if your organization is ready. Your users or admins will have to label previously and newly created sites and teams.
Also, you should know that this method only covers SharePoint data, not OneDrive and Exchange Online data. You should use session policies to bridge this gap.
This post is part of the unmanaged devices blog series; find more posts here. View previous part: Limited access with conditional access for unmanaged devices View next part: Limited access with session policies for unmanaged devices |
Your email address will not be published. Required fields are marked *
6 Comments