Step by Step guide & scenarios to limit access to Teams (SharePoint, Exchange, etc.) from an unmanaged device.
There are already some general articles on this topic in the internet. This article is a concrete step by step guide to implement the following example:
- Access to teams should only be possible via the browser, which has the advantage that no local log files etc. are written or data is not stored in a local device backup. This is especially important for mobile devices (iOS, Android), as these backups may be stored in further cloud services.
- Download of files should not be possible. Accessing and editing in the browser shall be possible.
- Download, access and editing of files should not be possible.
Services involved in this example:
- App Restriction (SharePoint & EXO Admin Center)
- Azure AD Conditional Access
To give separate option to selected users the way described here cannot be used. The reason is that in this example the Conditional Access Policy in the Session section refers to the App Restriction settings in the respective Admin Centers of Exchange and SharePoint - and these are global for the whole tenant. An option for more granular settings is to use PowerShell to apply the App Restriction only to selected SharePoint sites.
Example: Set-SPOSite -Identity https://<SharePoint online URL>/sites/<name of site or OneDrive account> -ConditionalAccessPolicy AllowLimitedAccess
Alternative methods for more selective settings related to specific users, selected Teams, or scenarios such as "access from the corporate network" can be implemented using the following methods:
- Conditional Access App Control, as described here: Use app enforced restrictions vs. Use Conditional Access App Control
- Authentication Context, as described here: Azure AD Conditional Access | Authentication Context
Step by step guide on the example
SharePoint admin center -> Access control -> Unmanaged devices -> Allow limited, web only access:
This auto generates a Conditional Access Policy:
Settings in the Conditional Access Policy:
User experience in Teams on unmanaged device -> no download available:
User experience in SharePoint on unmanaged device -> no download available:
User can open and edit documents in Teams Web-client:
The document cannot be open in the Office client:
Switching the App Restriction to block access:
The Conditional Access Policy keeps as it is, but the user experience changed:
(Teams chat is still available)
Tips & Tricks
- It can take several minutes for a Conditional Access policy to take effect / for a change to take effect.
- For tests in which policies are changed, the following applies: Always log off, close browser / clear browser cache, wait several minutes and then log in again.